February  2013  www.csoonline.com  $  9.00  BUSINESS  RISK  LEADERSHIP 


Preston  Woods,  CISO  at 
Zions  Bancorporation 


TECH:  Internet  of  Things 
Creates  New  Risks  6 

RISK:  COSO  for  CSOs  14 

LEAD:  15  Tips  for  Landing 
a  Job  Interview  20 


SMARTER  TECHNOLOGY  FOR  A  SMARTER  PLANET 


FROM  DETAILS  TO  DESIRES: 


Companies  aren’t  short  on 
data.  In  fact,  with  the  average 
large  business  storing  more 
than  200  terabytes,  companies 
have  more  than  enough  data  to 
tell  them  who  is  buying  their 
product,  as  well  as  how,  when 
and  where  the  buying  happens. 

DATA’S  NEW  VOICE. 

Today,  however,  customers 
expect  a  company  to  know  why 
they’re  buying.  Or  why  they 
aren’t.  Because  when  a  company 
knows  what  motivates  customers, 
it  can  serve  them  better. 


The  good  news  is  such  data 
exists,  just  not  in  the  columns, 
rows,  reports  and  purchase 
histories  we’re  used  to.  It’s  called 
big  data,  and  it  comes  from 
tweets,  videos,  clickstreams  and 
other  unstructured  sources. 
It’s  the  data  of  desire.  And 
today,  we  have  the  technology 
and  tools  to  make  sense  of  it. 


So  now,  instead  of  learning 
which  customers  it  has  lost, 
a  company  can  learn  which 
customers  it  might  lose  and 
present  timely  offers  or 
products  motivating  those 
customers  to  stay.  Using  IBM 
Smarter  Analytics  to  identify 
which  customers  were  most 
likely  to  switch  to  another 


“For  the  first  time, 
we  can  decide  which 
promotions  to  run 
based  on  facts  rather 
than  gut  feel.” 

Patrick  Neeley 

Chief  Business 
Officer,  Chickasaw 
Nation  Division 
of  Commerce 


THE  POWER  OF  BIG  DATA. 


T€>©  >  .  \ 

)€>© 


v  W 

I*®-  w  W  4.  © 

W.  '  t ' 

-»C  €  *■ 


a 


9y 


o 


I SSA 


Combining  big  data  with 
company  data  paints  a  better 
picture  of  the  customer. 


of  the  data  currently 
produced  is  unstructured 
— coming  from  sources 
like  images ,  videos, 
tweets,  postsand  e-mails. 


MINING  MOTIVATION. 

Enter  Smarter  Analytics  from 
IBM — software,  systems  and 
strategies  that  help  companies 
combine  their  own  enterprise 
data  with  their  consumers’ 
unstructured  data  to  see  a  fuller 
picture.  A  big  data  platform, 
paired  with  predictive  and 
sentiment  analytics,  allows 
organizations  to  correlate, 
for  example,  sales  records 
with  social  media  mentions 
for  more  relevant  insights. 


communications  carrier, 

XO  Communications  was  able 
to  predict  likely  customer 
defections  within  90  days, 
reducing  churn  by  35  percent 
the  first  year. 

With  IBM  Smarter  Analytics,  . 

companies  are  gathering  big  LET'S  BUILD  A 
data  and  using  it  to  ask  and  SMARTER  PLANET, 
answer — smarter  questions  about 
what  their  customers  really  want. 
ibm.com/usingbigdata  x  I  f 


IBH  the  IBM  logo,  ibmcom.  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp,  registered  in  many  jurisdictions  worldwide.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibmcom/legal/copytradestitml 
©International  Business  Machines  Corporation  201Z 


Big  Goals  for 
Big  Data 

24  Many  organiza¬ 
tions  are  still  in  the 
dark  when  it  comes 
to  using  big  data  to 
improve  security.  But 
forZions  Bancorpora- 
tion,  it’s  old  hat. 


February  2013  Volume  12,  Number  1 


f«r>rty  Story  Q 


tech 

6  Smart  TV  Hack  Highlights  the 
Risks  of  ‘the  Internet  of  Things’ 

8  Red  October  Attack  Targets  Governments 
by  Using  Infected  Files  and  Java  Exploits 

10  Are  You  Better  Off  Without  Antivirus?  Not  Yet 

11  Windows  Piracy  in  China  Carries 
Big  Risks,  Microsoft  Finds 

12  How  Hackers  Stole  Millions  from 
European  Bank  Customers 


risk 

14  What  to  Look  for  in  the  COSO 
Framework  Update 

16  Perceptions  of  Risk 


BY  BILL  BRENNER 

5  Places  Your 
Data  Goes 
to  Hide 

28  From  auto-saved 
spreadsheets  to  test 
systems  that  use  live 
data-CISOs  warn  of 
five  often-overlooked 
sources  of  data  leaks. 

BY  DAVID  GEER 


18  New-School  Redux:  Catching 
Up  with  Adam  Shostack 

lead 

20  15  Tips  for  Landing— 
and  Acing-a  Job  Interview 

22  Many  IT  Pros  Are  Unaware  of 
the  Most  Common  Threats 

23  The  5  Most  Common  Myths  About  Awareness 


32  CSI:  Log  Files 


February  2013  www.csoonline.com  l 


Lean,  Mean  and  Clean 

“Burn  rate”:  the  phrase  that  captured  the  business  Zeitgeist  of 
the  late  ’90s,  particularly  in  Silicon  Valley. 


Burn  rate  is  the  pace  at  which  your  cash 
balance  is  decreasing.  For  startups  with  finite 
financing  and  paltry  revenues,  this  is  an  impor¬ 
tant  number.  Of  course,  in  the  late  '90s,  at  the 
height  of  the  dotcom  boom  (and  bubble),  fi¬ 
nancing  didn’t  seem  finite.  Since  software  com¬ 
panies  could  go  public  and  cash  out  without 
ever  making  any  money,  the  culture  was  one  of 
extravagant  spending.  Rooftop  launch  parties, 
lavish  work  spaces,  private  jet  travel  for  entre- 
preneurs-all  commonplace. 

The  economy  is  a  little  different  now.  (You 
noticed?) 

The  phrase  that  captures  today's  Zeitgeist 
is  “lean  startup.”  Engineer-turned-entrepreneur 
Eric  Reis  wrote  a  book  by  that  name,  and  it’s 
great  reading,  regardless  of  whether  you're  in  a 
startup  company  or  some  global  leviathan. 

In  contrast  to  burning  through  your  funds 
as  you  make  everything  perfect,  extravagant 
and  feature-rich,  one  of  the  key  ideas  in  the 
lean  startup  methodology  is  “minimum  viable 
product.”  Take  your  idea  and  create  the  simplest 
form  you  can,  then  start  testing  it  with  custom¬ 
ers.  You  may  find  there’s  no  market  at  all.  You 
may  find  there’s  demand  for  something  related 
but  different.  You  keep  tweaking  or  pivoting 
until  you  hit  the  right  fundamental  idea,  one 


that  meets  a  real  customer  need. 

Then  and  only  then  do  you  start  looking  at 
fleshing  out  the  idea  into  something  more  fully 
formed. 

How  can  you  apply  this  approach  to  your 
security  work?  Reduce  project  scope?  Do  small 
pilots?  Create  single-function  apps  instead  of 
ERP-sized  ones? 

It’s  always  good  to  be  in  touch  with  the  spirit 
of  the  times. 

-Derek  Slater,  Editor  in  Chief, 
dslater@cxo.com 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  Decembei/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.0. 8ox 
9208,  Framingham.  MA  01701-9208.  Periodical  Postage  Rate  at  Framingham.  MA  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number 
1902075.  Canadian  Postmaster:  Please  return  undeliveraDle  copy  to  P.0.  Box  1632.  Windsor,  ON  N9A  7C9.  Copyright  2011  by  CXO  Media  Inc.  All  rights  reserved.  Reproduction 
of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  or  the  internal  or  personal  use  of  specific 
clients  is  granted  by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  a  fee  of  S3.50  per  copy  of  the  article  is  paid  directly  to  Copyright  Clearance 
Center,  222  Rosewood  Drive,  Danvers.  MA  01970.  www.copyrlght.com.  Please  specify:  ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— 
followed  by  this  symbol: }.  Address  inquiries  to  CSO.  P.0.  Box  3482,  Northbrook.  It  60065: 866  354-1125.  CSO  is  free  to  qualified  security  executives.  To  all  others  the 
one-year  basic  rate  is  $70  for  the  United  States  and  Canada.  $95  to  foreign  countries  (payable  In  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canada  and 
$15  International.  Please  allow  four  to  six  weeks  for  new  subscriptions  to  begin.  Change  of  Address.  (So  to  www.omeda.conVcustsrv/cso  and  follow  the  online  instructions. 
Postmaster:  Send  change  of  address  to:  CSO,  P.0.  Box  3482,  Northbrook,  II 60065.  Printed  in  the  USA. 


Editor  in  Chief 

Derek  Slater 
dslater@cxo.com 
508  935-4213 
Twitter:  (ciderekcslater 

Managing  Editor 

Bill  Brenner 
bbrenner@cxo.com 
508  9  88-7587 
Twitter:  (a)billbrenner70 

Senior  Editor 

Joan  Goodchild 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  (almsjoanieg 

Senior  Editor,  Copy  and  Production 

Colleen  Barry 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director 

Steve  Traynor 

Editorial  Administrator 

Pat  Josefek 

Research  Manager 

Carolyn  Johnson 

Contributors 

Taylor  Armerding,  Mary  Brandel, 
John  E.  Dunn,  Elisabeth  Horwitt 
George  V.  Hulme,  Gregg  Keizer. 
Jeremy  Kirk,  Richard  Power, 
Jaikumar  Vijayan,  Bob  Violino 

Editorial/Advertising/ 
Business  Offices 

492  Old  Connecticut  Path, 

P.O.  Box  9208 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-00  80 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
cso@omeda.com 

IDG  Enterprise 

An  IDG  Communications  Company 

International  Data  Group 
Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  Communications,  Inc. 

CEO 

Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 


WORLDWIDE- 


2  www.csoonline.com  February  2013 


Tim  Llewellyn 


■ 


Trust  one 
Identify  a 


Learn  about  the 
assurance  that  comes 
with  the  Power  of  One. 
hidglobal.com/ 
powerOne  or  Scan 
this  with  a  QR  reader 


Only  HID  Global  has  the  capability  to  take  care  of  all 
your  company’s  identity  assurance  needs  through  a  single 
trusted  source. 

From  IT  to  corporate  security,  from  credentials  to  authentication  to  management  services,  HID 
Global  is  the  only  one  ready  to  provide  a  best  in  class  Identity  Assurance  solution  that  goes  beyond 
a  simple  password.  Each  user  receives  a  single  identity  credential  that  can  be  authenticated 
across  multiple  access  points  and  devices.  One  identity.  One  security  policy.  One  trusted  source. 
Only  from  HID  Global.  The  Power  of  One. 

For  more  information,  visit  hidglobal.com/powerone-cso 


2012  HID  Global  Corporation/ASSA  ABLOY  AB.  All  rights  reserved.  HID.  HID  Global,  the  HID  Blue  Brick  logo  and  the  Chain  Design  are  trademarks  or  registered  trademarks 
of  HID  Global  or  its  licensor(s)/supplier(s)  in  the  US  and  other  countries  and  may  not  be  used  without  permission.  All  other  trademarks,  service  marks,  and  product  or  service 
names  are  trademarks  or  registered  trademarks  of  their  respective  owners. 


A  Primer  for  School  Security 

Like  you,  I  was  horrified  by  the  school  shooting  in  New¬ 
town,  Conn.  I  am  hopeful  that  it  will  awaken  communities  around 
the  country  to  the  risks  our  schools  face.  They  are  the  quintes¬ 
sential  “soft  targets,”  and  they  • 

need  special  attention. 

For  the  past  six  years,  I  have  been  closely  in¬ 
volved  in  addressing  school  security  through  our 
work  here  at  CSO,  and  through  my  own  involve¬ 
ment  with  schools  in  my  community.  Here’s  a 
primer  on  improving  school  safety. 

1.  You  must  have  a  fully  engaged  group  of 
community  leaders  (including  police  and  fire  of¬ 
ficials),  administrators  (at  the  district  level  and 
in  the  individual  schools),  teachers  and  parents. 

Only  by  acting  together  can  you  hope  to  have  a 
successful  school  security  program. 

2.  Your  relationships  with  first  responders 
are  critical,  and  your  police  and  fire  depart¬ 
ments  must  be  involved  in  your  security  plan 
development  and  its  continuing  testing  and 
assessment. 

3.  Lockdowns:  Your  facilities  need  to  have 
the  capability  to  be  locked  down  in  an  emer¬ 
gency.  Can  classroom  doors  be  locked  from  the 
inside?  Can  connecting  doorways  be  locked? 

Who  can  order  a  lockdown? 

4.  Control  building  access.  You  must  be 
able  to  manage  a  single  point  of  entry  into  the 
building. 

5.  Visitors  must  be  given  unique  visitor  badg¬ 
es  and  lanyards. 

6.  Set  up  communications  (internal  and  ex¬ 
ternal).  Have  an  incident-response  plan  in  place 
that  specifies  how  to  communicate  with  people 
inside  the  building  and  with  first  responders 


outside.  Also  have  a  plan  for  dealing  with  the 
media,  parents  and  guardians,  and  community 
officials. 

7.  Train  your  staff  and  students  on  all  aspects 
of  security,  including  lockdowns  and  access 
protocols.  They  need  to  know  what  normal  is  so 
that  they  can  easily  spot  the  abnormal. 

8.  Most  importantly,  have  a  program-assur¬ 
ance  plan  in  place-intrusion  tests,  lockdown 
drills,  weekend  drills  with  first  responders. 

When  you  go  home  tonight,  please  make  it  a 
point  to  ask  questions  of  your  community  lead¬ 
ers  about  what  they  are  doing  to  protect  your 
schools. 

—Bob  Bragdon,  publisher 
bbragdon@cxo.com 


Advertiser  Index 


IBM  Corp . C2 

LogRhythm  . 9,11,13 

McAfee.  Inc . 5 


4  www.csoonline.com  FEBRUARY  2013 


Executive  Committee 
President  &  CEO  Michael  Friedenberg 
Executive  Assistant  to  the 
President  &  CEO  Pamela  Carlson 
SVP  of  Human  Resources  Patricia 
Chisholm 

SVP  of  Events  Ellen  Daly 
SVP  &  Chief  Content 
Officer  John  Gallant 
SVP  of  Digital  Brian  Glynn 
SVP  of  Strategic  Programs  &  Custom 
Solutions  Group  Charles  Lee 
SVP,  Group  Publisher  &  CMO  Bob  Melk 
SVP  &General  Manager,  Online 
Operations  Gregg  Pinsky 
SVP  of  DEMO  Neil  Silverman 
SVP  &  COO  Matthew  Smith 
SVP  &  General  Manager,  CIO 
Executive  Council  Pam  Stenson 
SVP  of  Digital,  & 

Publisher  SeanWeglage 

Sales 

Publisher  Bob  Bragdon 
Senior  National  Sales 
Manager  PerMelker 
East  Coast  Regional  Director, 
Integrated  Sales  Roz  Burke 
Account  Director,  Integrated 
Sales  West  MaryHazelton 
Sales  Associate  Sarah  Nadeau 

Integrated  Media  and  Online  Sales 
East  Coast  Online  Regional  Sales 
Manager  Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager  Erika  Karr 
Central  Online  Regional  Sates 
Manager  Stacy  Bryne 
Director  of  Ad  Operations  & 
Project  Management  Bill  Rigby 
Director,  Online  Account 
Services  Danielle  Tetreault 

Production 

VP  Production  Services  Chris  Cuoco 
Production  Manager  Heidi  Broadtey 

Marketing 

Vice  President,  Marketing  Sue  Yanovitch 
Marketing  &  PR  Manager  Lynn  Holmlund 

List  Services 

Contact  Steve  Tozeski  of  IDG  List  Services 
at  508  820-8106  or  stozeski@idglist.com 

Reprints  &  Permisions 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group.  800-290-5460,  ext.  100, 
cso@theygsgroup.com 


Webb  Chappell 


EXECUTIV 


VI EWF01  NT 


ADVERTORIAL 


Larry  Whiteside 

CISO  AND  DIRECTOR  OF 
ENTERPRISE  IT  SECURITY, 

RISK  AND  COMPLIANCE 
SPECTRUM  HEALTH  SYSTEM 

Whiteside  is  dedicated  to 
building  out  a  comprehensive 
security  platform  for  the 
nonprofit  to  improve  the 
health  of  families  and 
individuals. 


Healing  Healthcare 

In  light  of  continual  challenges,  the  time  is  right 
for  healthcare  IT  to  undergo  sweeping  change. 


Healthcare  IT  leaders  are  in  a  compromising 
position.  They  are  tasked  with  securing  a 
new,  substantial  data  set  across  disparate 
technologies.  Below  Whiteside  discusses 
the  need  for  industry-wide  change,  and  the 
importance  of  taking  an  integrated,  long¬ 
term  strategic  approach  to  security. 

How  does  security  in  healthcare  need 
to  change? 

There  is  a  dire  need  to  place  more 
accountability  on  healthcare  software  and 
device  manufacturers.  Although  devices 
are  scrutinized  for  FDA  certification, 
there  is  little  attention  to  the  quality  of 
code  or  level  of  security.  As  a  result,  many 


that  provides  consolidated  security 
management  of  all  devices  -  a  necessity 
to  protect  against  viruses  and  malware 
and  their  risks.  Otherwise,  as  the  number 
of  devices  utilized  for  monitoring  and 
delivering  care  increase,  some  organizations 
may  get  to  a  point  where  IT  cannot  keep  up. 

Improving  awareness  is  monumental 
as  well  if  security  professionals  want 
to  become  less  reactive.  Healthcare  IT 
professionals  need  to  realize  that  just 
because  a  security  disaster  hasn’t  happened 
yet  doesn’t  mean  it  won’t  happen. 

Collaboration  between  senior  executives 
in  different  health  systems  needs  to 
increase  with  open  conversations  around 


“The  goal  is  to  establish  a  platform  that  provides 
consolidated  security  management  of  all  our  devices 


FOR  MORE  INFORMATION: 

Visit  www.mcafee.com\healthcare 


^  McAfee 

An  Intel  Company 

CSO 

Custom  Solutions  Group 


organizations  allow  far  too  many  devices 
to  come  into  their  environments  without 
control  over  security  -  meaning  in  many 
instances  healthcare  providers  cannot  add 
antivirus  or  even  apply  necessary  operating 
system  patches  without  violating  the  unit 
maintenance  warranty. 

Unfortunately,  there  is  little  choice  since 
these  systems  need  to  be  innovative  and 
efficient  in  delivering  care.  So  security 
operates  within  bubbles,  which  rapidly 
becomes  a  management  nightmare.  It’s 
comparable  to  having  disparate  silos  of 
systems,  and  ultimately  strips  a  healthcare 
organization  of  needed  efficiencies. 

What  steps  can  IT  leaders  take  to  better 
prepare  for  the  security  and  privacy  issues? 

Treat  devices  like  computers.  This 
means  addressing  security  through  the 
underlying  operating  system— whether 
it’s  Windows,  Unix,  or  Linux— allowing 
for  regular,  routine  processes  for  updating 
and  securing. 

The  goal  is  to  establish  a  platform 


improving  security.  This  is  especially  true 
for  today’s  electronic  medical  records, 
which  are  transitioning  from  being 
incentivized  to  enforcement.  Fortunately, 
the  push  forces  executives  to  have 
new  conversations,  including  utilizing 
technology,  recognizing  risk  and  finding 
ways  to  protect  patients. 

What  advice  do  you  have  for  your  peers? 

Securing  a  healthcare  system  starts  with 
the  fundamentals,  but  also  needs  to  expand 
outside  the  bubble  of  security  management 
in  order  to  clearly  demonstrate  the 
business  benefits.  Although  most  business 
leaders  understand  the  significance  of  key 
performance  indicators,  key  risk  indicators 
are  equally  important.  Communicating 
the  risks  falls  directly  on  the  Healthcare 
IT  professional  who  needs  to  be  willing 
and  able  to  discuss  the  risks  that  failing 
to  properly  invest  in  a  solid  sustainable 
security  system  means  to  organizations’ 
bottom  line,  business  operations  and 
reputation.  ■ 


Family  Story  Q 


Search 


Facebook 


Acetrax 


A'  Logo] 


Smart  TV  Hack  Highlights  the 
Risks  of ‘the  Internet  of  Things’ 

Bad  actors  are  finding  new  ways  to  get  into  your  digital  life  as  more  and  more  of  your 
furniture  and  appliances  become  Internet-enabled  by  taylor  armerding 


A  SMART  TV  IS  ONLY  AS  SMART  AS  THE  PERSON  CON- 
trolling  it.  So  if  the  person  in  control  is  a  hacker,  the  owner  could  have 
a  problem.  Researchers  at  security  consultancy  ReVuln  say  some  smart 
TVs  are  vulnerable  to  hacking. 

This  is  another  example  of  what  experts  say  is  the  ever-expanding 
attack  surface  of  devices  that  traditionally  never  faced  the  Internet, 
but  are  now  “smart.” 


The  ReVuln  researchers  say  they  found  a  vulnerability  in  a  number  of 
smart  TVs  made  by  Samsung  Electronics  that  gave  them  root  access  to 
the  TV  and  any  attached  USB  drives. 

The  researchers  posted  a  video  titled  “The  TV  is  Watching  You," 
which  shows  them  accessing  the  TV  settings  and  channel  lists,  Secure- 
Storage  accounts,  widgets  and  their  configurations,  the  history  of  USB 
movies,  and  more. 


6  www.csoonline.com  February  2013 


VnufrffTi 


SWART  TV 


Your  Video  {Jp 

TiTiimimz 


Samsung  Apps 


Kids 


Fitness 


AccuWeather 


Web  Browser 


Samsung 


CSO  Forum  on  Linked  El 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 


The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum" 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 


CSO 


BUSINESS  RISK  LEADERSHIP 


CSO  Forum 


,  mA  « 


r w  *  'Wi> 


Tech 


They  were  also  able  to  retrieve  the  drive 
image,  mount  it  locally  and  check  for  informa¬ 
tion  like  usernames,  passwords  and  financial 
documents. 

Luigi  Auriemma  of  ReVuln  told  the  IDG 
News  Service  that  hackers  could  even  use 
the  integrated  webcam  and  microphone  to 
watch  the  victim.  And  he  says  the  vulnerabil¬ 
ity  is  not  confined  to  the  single  model  that 
ReVuln  tested. 

“The  vulnerability  affects  multiple  models 
and  generations  of  the  devices  produced  by 
this  vendor,  so  not  just  a  specific  model  as 
tested  in  our  lab  at  ReVuln,”  the  report  said. 

Samsung  did  not  respond  to  a  request  for 
comment,  but  ReVuln  emailed  a  statement 
saying  there  is  no  firmware  update  yet,  “as 
the  details  regarding  this  vulnerability  have 
not  been  shared  with  the  vendor." 

The  statement  added  that  ReVuln  has 
only  tested  Samsung,  but  said:  “We  think 
that  other  brands  of  TV  may  be  affected  by 
similar  issues." 

James  Arlen,  a  hacking  expert  and  a  senior 
security  consultant  with  Leviathan  Security 
Group,  says  smart  TVs  are  just  one  example 
of  how  the  “Internet  of  Things"-the  online 
connectedness  of  non-computer  appliances 
in  homes-has  created  “a  huge  new  attack 


“In  essence,  you’ve  got  a  computer  inside 
some  device-whether  it  be  a  printer,  a  TV, 
a  toaster,  the  Coke  machine,  etc.-and  that 
computer  is  just  as  vulnerable  to  attacks 
as  a  normal  computer  would  be.” 

-DAN  FRYE,  GENERAL  MANAGER  OF  SERVICES,  MAD  SECURITY 


surface"  for  criminals  to  exploit. 

“I  recently  counted  the  number  of  IP  ad¬ 
dresses  in  my  house  and  came  up  with  all 
kinds  of  new  things  that  require  Internet 
access-not  just  the  computers,  game  sys¬ 
tems,  tablets  and  music  players,  but  also  the 
bathroom  scale,  the  thermostat  and  more,” 
he  says.  “Televisions  are  one  of  many,  but  also 
the  most  likely  to  have  lots  of  interconnection 
possibilities.” 

He  says  the  problem  is  not  new,  noting 
that,  “printers  got  smarter  and  became  a 
threat,”  and  that  the  number  of  smart  devices 
continues  to  expand. 

Dan  Frye,  general  manager  of  services  at 
MAD  Security,  agrees.  “A  common  way  to  get 
into  enterprise  networks  is  through  printers 
attached  to  the  corporate  network.  A  TV  on 
the  corporate  net  is  really  the  same  thing,”  he 


says.  “In  essence,  you’ve  got  a  computer  inside 
some  device-whether  it  be  a  printer,  a  TV, 
a  toaster,  the  Coke  machine,  etc.-and  that 
computer  is  just  as  vulnerable  to  attacks  as  a 
normal  computer  would  be.” 

“Any  new  piece  of  technology  that  con¬ 
nects  to  the  Internet  is  a  probable  attack  sur¬ 
face,”  says  Matt  Johansen,  WhiteHat  Security 
threat  research  manager.  “Look  at  the  recent 
research  by  Barnaby  Jack  about  insulin  pumps 
and  pacemakers. 

“Who  would  have  thought  these  devices 
would  ever  be  susceptible  to  hackers?”  Johan¬ 
sen  says.  “But  if  a  hacker  gets  their  hands  on 
any  device  long  enough,  they’ll  figure  out  a 
way  to  break  it.  It  was  hotel  door  locks  [and] 
slot  machines  in  the  past,  and  it  will  be  the 
smart  toasters  and  refrigerators  in  the  future.” 

Gary  McGraw,  CTO  of  Cigital,  says  most 


Red  October  Attack  Targets  Governments 
by  Using  Infected  Files  and  Java  Exploits 


THE  LARGE-SCALE  CYBERESPIONAGE 
operation,  dubbed  Red  October,  that  targeted 
hundreds  of  government,  military  and  research 
organizations  did  not  rely  solely  on  mali¬ 
cious  Excel  and  Word  documents  as  previously 
believed,  researchers  have  found.  The  attackers 
also  used  Web-based  Java  exploits,  according  to 
findings  in  a  recent  report  from  Israeli  IT  security 
firm  Seculert. 

Researchers  from  antivirus  vendors  Kaspersky 
Lab  published  the  results  of  their  investigation 
into  Red  October  in  mid-January.  According  to 


their  report,  the  victims  were  targeted  via  rogue 
email  messages  that  contained  malicious  docu¬ 
ments  designed  to  exploit  known  vulnerabilities 
in  Microsoft  Excel  and  Word. 

Costin  Raiu,  director  of  Kaspersky’s  global  re¬ 
search  and  analysis  team,  says  that  other  meth¬ 
ods  of  distributing  the  cyberespionage  malware 
might  have  been  used,  but  if  so,  they  hadn’t 
been  identified  yet. 

However,  while  analyzing  the  command-and- 
control  servers  used  in  the  campaign,  security 
researchers  from  Seculert  discovered  a  special 


8  www.csoonline.com  FEBRUARY  2013 


iStockphoto 


people  don't  think  of  their  TV  or  other  house¬ 
hold  devices  as  computers,  but  they  are. 

"Your  TV  is  just  a  computer  with  a  monitor," 
he  says.  “And  it  knows  a  lot  about  you-what 
you’ve  watched,  whether  you  were  home  at 
the  time." 

There  is  some  disagreement  over  how 
high  a  priority  security  should  be  on  devices 
that  have  only  recently  begun  to  connect  to 
the  Internet. 

"Focus  on  delivering  the  product  to  market 
means  that  the  'Ship  It’  award  is  more  im¬ 
portant  than  ‘Is  it  hackable?”’  says  Arlen,  the 
Leviathan  Security  Group  consultant. 

Frye  agrees  that  security  standards  for  such 
devices  are  "immature."  But,  he  says,  vulner¬ 
abilities  are  found  "everywhere,  all  the  time, 
in  products  that  certainly  take  security  into 
account.  Microsoft,  Google  and  Apple  are  all 
great  examples." 

McGraw  says  while  the  vulnerability  discov¬ 
ered  by  ReVuln  is  real,  he  doesn’t  think  Sam¬ 
sung  is  necessarily  lax  on  security.  “They  make 
the  most  popular  Android  phone  out  there,” 
he  says.  “So  they  are  in  the  [security]  wars.” 

To  deal  with  the  ongoing  threats,  both 
consumers  and  enterprises  need  to  “control 
your  exit  path,”  Arlen  says.  “Most  consumers 
are  unaware  of  what  traffic  passes  in  or  out 


of  their  primary  systems,  so  they’re  going  to 
be  even  more  unaware  of  the  traffic  to  and 
from  devices  that  are  ’furniture’  rather  than 
computers.” 

“More  manufacturers  across  lots  of  in¬ 
dustries  need  to  employ  or  engage  with  the 
‘hacker-ish’  community  to  solve  the  problems 
prior  to  the  shipping  of  the  product,”  he  says. 

Frye  says  that  once  products  are  released, 
manufacturers  need  to  treat  them  like  com¬ 
puters  and  “have  a  way  for  people  to  report 
vulnerabilities  and  a  way  for  patches  to  be 
deployed  out  to  their  consumers.” 

Samsung  has  begun  treating  smart  de¬ 
vices  like  computers.  “Samsung  has  actually 
taken  a  step  in  a  great  direction  with  a  TV 
bug  bounty  program  for  researchers  to  submit 
bugs  to  receive  a  reward  ($1,000),  which  has 
been  useful  for  the  likes  of  Google,  Facebook, 
Mozilla,  and  even  PayPal,”  Johansen  says. 

However,  every  computing  device  is  po¬ 
tentially  vulnerable,  and  with  the  rise  of  the 
Internet  of  Things,  there  will  be  more  of  them 
all  the  time.  "This  problem  will  only  get  worse 
as  we  integrate  more  things  into  our  home 
networks,”  Frye  says. 

“It’s  the  TV  now,  but  smart  devices,  smart 
meters  for  our  power,  the  toaster,  thermo- 
stat-they’re  all  at  risk  in  the  same  way." 


folder  containing  a  malicious  Java  applet-a 
Web-based  Java  application-that  was  de¬ 
signed  to  exploit  a  Java  vulnerability  patched 
in  October  2011. 

The  exploit  found  on  the  server  was  com¬ 
piled  in  Feb.  2012,  which  reinforces  the  widely 
held  belief  that  these  attackers  preferred  to 
target  older,  known  vulnerabilities,  not  zero- 
day-previously  unknown-ones,  the  Seculert 
researchers  said  in  a  blog  post. 

The  discovery  was  made  possible  because 
at  some  point  the  attackers  switched  from 
using  PHP  as  the  server-side  scripting  lan¬ 
guage  on  their  command-and-control  servers 
to  CGI.  Some  older,  PHP-based  attack  pages 
were  still  left  on  the  servers,  and  accessing 


them  in  a  browser  revealed  their  source  code, 
the  Seculert  researchers  say. 

Evidence  suggests  that  the  Web-based 
attack  method  continued  to  be  used  even 
after  switching  the  infrastructure  to  CGI,  ac¬ 
cording  to  Aviv  Raff,  Seculert’s  CTO.  However, 
he  says,  it’s  not  clear  if  the  hackers  have 
started  using  exploits  for  newer  vulnerabili¬ 
ties  in  Java  or  other  browser  plug-ins  in  the 
past  few  months. 

Raff  believes  that  Red  October  is  the  work 
of  a  group  of  hackers  trying  to  obtain  high- 
value  information  that  they  can  later  sell  to 
interested  parties,  rather  than  the  result  of  a 
nation  state’s  cyberespionage  efforts. 

-Lucian  Constantin 


February  2013  iviviv.csoon/tne.com 


•• 

•;  r-Kv-V- 

"'  V' ' 

;  :"i  i  ■  ' 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 


www.LogRhythm.com 


SYSTEMS  HACKED 


Tech 


Bill  Brenner,  managing  editor 
CSOonline's  Salted  Hash  blog  and  newsletter  covers 
the  news  as  it  happens:  blogs.csoontine.com/blog/cso 


mm 

Are  You  Better  Off  Without  Antivirus?  Not  Yet 


ONE  OF  OUR  RECENT  ARTICLES  is¬ 
sued  a  blistering  verdict  against  antivirus  soft¬ 
ware,  declaring  it  a  useless  waste  of  money. 
From  the  story: 

“Antivirus  software  is  now  so  ineffective 
at  detecting  new  malware  threats  that  most 
enterprises  are  probably  wasting  their  money 
buying  it,  an  analysis  by  security  firm  Imperva 
has  concluded.  Questioning  the  protection  of¬ 
fered  by  antivirus  suites  has  become  a  staple 
theme  among  researchers  in  recent  times  and 
the  study  Assessing  the  Effectiveness  of  Anti- 
Virus  Solutions,  carried  out  for  Imperva  by  the 
University  of  Tel  Aviv,  is  another  addition  to 
that  sobering  collection. 

“The  team  ran  a  collection  of  82  new  mal¬ 
ware  files  through  the  VirusTotal  system  that 
checks  files  against  around  40  different  anti¬ 
virus  products,  finding  that  the  initial  detec¬ 
tion  rate  was  a  startling  zero.  The  company 
then  ran  the  same  scan  a  number  of  times  at 
intervals  of  a  week  apart  to  see  whether  de¬ 
tection  improved  over  time,  discovering  that 
even  the  best-performing  products  took  at 
least  three  weeks  to  add  a  previously  unde¬ 
tected  sample  to  their  databases. 

“Across  products,  12  files  that  were  poorly 
detected  when  new  were  still  not  detected  by 
half  of  the  programs  when  scanned  at  later 
dates.  In  some  detections,  files  were  simply 
marked  as  ‘unclassified  malware,’  a  desig¬ 
nation  that  would  harm  the  effectiveness 
of  malware  removal.  It  is  hard  to  say  which 
individual  products  were  the  least  bad  (read¬ 
ers  can  judge  for  themselves  on  Imperva's 
website),  but  there  appeared  no  connection 
between  popularity  and  success.” 

That  antivirus  struggles  to  keep  up  with 
the  always-shifting  malware  landscape  is  not 
news.  Security  experts  have  been  saying  it  for 
as  long  as  I’ve  been  writing  about  informa¬ 
tion  security  (closing  in  on  a  decade).  The  big 
antivirus  vendors  have  long  since  acknowl¬ 
edged  it  by  working  a  host  of  other  security 
technologies  into  their  product  portfolios  to 


supplement  the  antivirus  offerings  that  first 
put  them  on  the  map. 

But  it’s  important  to  remember  that  we’re 
still  in  a  transitional  period  for  security  tech¬ 
nology  and  that  most  of  us  shouldn’t  be 
ditching  antivirus  just  yet. 

I’m  reminded  of  a  story  I  wrote  three  years 
ago  where  some  infosec  practitioners  told  me 
they  had  stopped  using  antivirus.  David  Litch¬ 
field,  a  leading  database  security  expert,  told 
me,  “As  an  experienced  security  guy,  I  have 
no  faith  in  most  of  the  antivirus  packages 
out  there  because  they’re  completely  reac¬ 
tive,  offer  little  advance  protection,  massively 
increase  the  attack  surface  and  have  a  long 
history  of  vulnerable  ActiveX  controls.  I’ve 
never  used  antivirus  software  and  I’ve  never 
once  been  infected  with  a  virus."  And  Rich  Mo- 
gull,  founder  of  security  consultancy  Securo- 
sis,  said  “I  don’t  use  antivirus  on  most  of  my 
systems,  and  most  high-level  security  types 
use  only  limited  antivirus.”  Mogull  explained 
that  he  used  a  lot  of  other  security  measures, 
including  limited  Web  browsing,  maximum  se¬ 
curity  in  the  browser  and  email  filtering. 

But  these  experts  agreed  at  the  time  that 
this  wasn't  something  the  security  novice 
should  be  doing.  “Knowing  what  is  and  what 
isn’t  safe  to  do  on  a  computer  is  90  percent  of 


the  battle,"  Litchfield  said. 

Much  has  changed  since  I 
wrote  that  story,  but  I  think 
the  point  still  holds  true:  You 
need  a  high  level  of  infosec 
experience  to  go  without  . 
antivirus.  For  everyone  else, 
faulty  antivirus  remains  bet¬ 
ter  than  none  at  all.  Someday 
technology  may  advance  far 
enough  that  antivirus  will  be¬ 
come  obsolete  for  everyone. 
But  we’re  not  there  yet. 

I  recently  revisited  the 
issue  after  we  ran  a  story 
about  businesses  using  anti¬ 
virus  programs  that  are  often  badly  miscon- 
figured.  I  asked  readers  for  feedback  and  got 
back  some  good  perspective. 

Security  analyst  Don  Faulkner  said,  "I 
agree  that  for  now  antivirus  is  still  needed 
on  most  platforms,  especially  the  desktop  of 
the  average  user.  The  day  is  fast  approaching, 
however,  where  today’s  antivirus  will  be  out¬ 
matched.  Recent  work  in  advanced  malware, 
including  gadget-based  systems  like  Franken¬ 
stein,  make  it  clear  that  antivirus  will  have  an 
ever-harder  time  identifying  a  block  of  mali¬ 
cious  code,  while  malware  authors  have  an 
ever-expanding  toolbox  to  work  with.  Marcus 
Ranum  calls  this  'enumerating  badness'  and 
gives  very  good  reasons  for  why  we  shouldn’t 
do  it.  Antivirus  has  survived  this  long  because 
the  alternative  has  been  perceived  as  harder." 

Dave  Marcus,  director  and  chief  architect 
at  the  Federal  Advanced  Program  Group  at 
McAfee,  said,  "In  truth,  it’s  the  OS-centric 
model  that  antivirus  uses  that  has  become 
obsolete.  Flardware-assistance  (using  func¬ 
tionality  within  silicon)  needs  to  be  better  un¬ 
derstood,  investigated  and  developed  toward. 
Look  at  the  upcoming  4th  Gen  Intel  platform 
and  you  will  see  there  are  a  variety  of  func¬ 
tions  that  can  be  used  in  ways  that  OS-based 
detection  cannot  approach  on  its  own.” 


lO  www.csoonline.com  FEBRUARY  2013 


CSO  Staff 


Windows  Piracy  in  China  Comes 
With  Big  Risks,  Microsoft  Finds 


IN  A  RECENT  INVESTIGATION,  MICRO- 
soft  purchased  169  PCs  from  shops  in  China 
and  found  that  all  were  installed  with  pirated 
versions  of  Windows,  with  91  percent  of  them 
containing  malware  or  deliberate  security 
vulnerabilities. 

“What  we  are  finding  is  that  increasingly 
cybercriminals  are  targeting  both  business¬ 
es  and  consumers  right  here  in  China,”  says 
Nick  Psyhogeos,  vice  president  of  Microsoft's 
original  equipment  manufacturer  (OEM)  busi¬ 
ness  solutions  group. 

The  company  has  long  battled  China’s 
software  piracy,  which  is  among  the  highest 
in  the  world.  Last  year  China’s  illegal  software 
market  was  valued  at  close  to  $9  billion, 
while  the  legai  market  was  valued  at  $2.7 
billion,  according  to  a  study  by  the  Business 
Software  Alliance. 

Microsoft  says  users  of  the  counterfeit  Win¬ 
dows  software  are  often  saddled  with  unreli¬ 
able  PCs  running  malware  that  can  steal  users’ 
credit  card  and  bank  account  information.  The 
software  giant  launched  an  anti-piracy  cam¬ 
paign  in  China  during  the  busy  holiday  season. 

Over  an  18-month  period,  Microsoft  says 
it  conducted  its  “most  extensive  forensic 
survey"  of  PCs  bought  in  China  by  purchasing 
computers  from  Chinese  shops  and  “IT  malls,” 
which  can  feature  dozens  of  different  small 
vendors  in  one  building.  Of  the  169  PCs  run¬ 


ning  pirated  versions  of  Windows,  59  percent 
were  already  infected  with  malware,  and  72 
percent  featured  altered  Internet  browsing 
settings  that  intentionally  sent  users  to  scam 
and  phishing  websites. 

Some  of  these  PCs  contained  a  mal¬ 
ware  known  as  Nitol,  which  when  activated 
through  a  pre-installed  music  player  can  re¬ 
motely  log  user  keystrokes  and  spy  on  users 
through  the  computer’s  webcam.  More  than 
70  percent  of  the  systems  also  had  their 
Windows  update,  Windows  firewall,  and  user- 
account  control  warning  functions  disabled, 
making  them  vulnerable  to  cyberattacks. 

“Counterfeiters  have  pitched  this  story  to 
consumers  that  software  piracy  or  pirated 
products  themselves  don’t  cost  anything, 
they’re  free.  They’ve  also  pitched  the  story 
that  it  works  just  fine,  it’s  good  enough,”  Psy¬ 
hogeos  said  in  a  media  briefing.  “Neither  of 
those  statements  are  accurate." 

The  PC  brands  that  were  found  pre¬ 
installed  with  counterfeit  Windows  software 
include  big  names  such  as  Acer,  Asus,  Dell, 

HP  and  Lenovo,  along  with  smaller  Chinese 
vendors.  But  Microsoft  says  the  piracy  is  be¬ 
lieved  to  come  from  further  downstream  in 
the  supply  chain,  through  resellers  who  are 
loading  the  counterfeit  software  and  malware 
into  the  products  in  order  to  lower  the  cost  of 
PCs  sold. 

OEMs  that  make  the  PCs  will  often  install 
a  non-Windows  operating  system  such  as 
FreeDOS  on  the  product,  Psyhogeos  says.  This 
makes  it  highly  likely  that  a  third  party  will 
later  install  a  pirated  version  of  Windows  on 
the  PC  during  its  distribution. 

As  part  of  Microsoft’s  new  Keep  It  Real 
campaign,  the  company  warned  16  Beijing- 
based  resellers,  who  were  repeatedly  found  to 
be  selling  PCs  pre-installed  with  counterfeit 
Windows  versions,  to  stop  the  piracy.  Micro¬ 
soft  says  it  will  consider  legal  action  as  a  last 
resort.  -Michael  Kan 


February  2013  www.csoonline.com  11 


.  .■  ■  n  ■ 

Tv  '  '  .  'Vi 
■  v  *  \ 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 

www.LogRhythm.com 


DATA  BREACHED 


Tech 


WISDOM  WATCH 


Outlook  2013 

President  Obama. 
He’s  done  more  to 
tackle  cybersecurity  than  his  re¬ 
cent  predecessors,  but  he's  also 
taken  drone  warfare  to  levels  that 
threaten  our  civil  liberties.  His 
choice  of  John  Brennan-architect 
of  the  drone  program-as  the  next 
CIA  chief  suggests  our  rights  will  be 
threatened  for  a  long  time. 

Anonymous.  Lately 
the  hacktivists  have 
been  targeting  hate  groups,  sug¬ 
gesting  a  heroic  new  direction.  But 
what  they  do  is  still  illegal,  and  two 
wrongs  still  don’t  make  a  right. 

NSA’s  ‘Perfect  Citizen’  plan. 
As  CSOonline  recently  report¬ 
ed,  the  National  Security  Agency 
calls  its  semi-secret  technology  to 
protect  the  nation’s  power  grid  “Per¬ 
fect  Citizen.”  But  it’s  far  from  perfect 
in  the  eyes  of  privacy  advocates, 
who  find  it  somewhat  odd  and 
amusing,  but  mostly  disturbing. 

ag/1  Free  security  tools.  The  bad 
■Uj  guys  will  always  be  there. 
Government  will  continue  to  do 
more  harm  than  good.  But  we  can 
take  comfort  in  the  fact  that  free 
infosec  tools  will  always  be  around. 

( For  a  list  of  the  best,  see:  www. 
csoonline.com/slideshow/80286) 

Security  execs  who  share. 
Security  is  a  tough  job.  Some 
say  it’s  impossible.  But  as  long  as 
CSOs,  CISOs  and  other  security  execs 
keep  sharing  their  ideas  freely,  the 
big  picture  will  keep  improving. 
(Check  out  “77  More  Great  Ideas 
for  Running  a  Security  Program”  at 
www.  csoonline.  com/article/725 198) 


How  Hackers  Stole  Millions 
from  European  Bank  Customers 


RESEARCHERS  FROM  CHECK  POINT 
and  Versafe  have  discovered  a  sophisti¬ 
cated  attack  used  to  steal  millions  from 
corporate  and  private  banking  customers 
across  Europe. 

The  vendors  describe  the  attack  in  a  re¬ 
port  called  “A  Case  Study  of  Eurograbber: 
How  €36  million  was  stolen  via  malware.” 
Among  other  things,  the  report  says: 

■  An  estimated  €36  million  ($47.7  million) 
has  been  stolen  from  more  than  30,000 
corporate  and  private  bank  accounts. 

■  The  attacks  originated  in  Italy,  but  quickly 
spread  to  Germany,  Holland  and  Spain. 

■  The  theft  involved  a  sophisticated 
combination  of  malware  and  targeted 
the  computers  and  mobile  devices  of 


banking  customers. 

■  A  new  and  very  successful  iteration  of  a 
bot  attack  (the  Zeus  Trojan)  was  used  in 
the  widespread  Eurograbber  attack. 

■  Android  and  BlackBerry  mobile  devices 
were  specifically  targeted,  showing  that 
attacks  against  Android  devices  are  a 
growing  trend. 

In  a  report  summary,  the  researchers 
wrote: 

“The  malware,  in  conjunction  with  the 
attackers’  command-and-control  server, 
first  infected  the  victims’  computers,  and 
then  infected  their  mobile  devices  in  order 
to  intercept  SMS  messages  to  bypass  the 
banks’  two-factor  authentication  process. 
With  the  stolen  information  and  the  trans- 


-  .  s  I 


12  www.csoonline.com  FEBRUARY  2013 


iStockphoto 


action  authentication  number  (TAN),  the 
attackers  then  performed  automatic  trans¬ 
fers  of  funds,  ranging  between  €500  and 
€250,000,  from  the  victims’  accounts  to 
mule  accounts  across  Europe.” 

The  report  offers  a  step-by-step  picture 
of  how  individual  computers  are  infected 
and  how  the  infected  machines  are  then 
used  to  pull  off  the  heist. 

As  to  how  users  can  protect  themselves 
from  becoming  victims,  the  report  suggests 
the  following: 

1.  Update  software  regularly. 

Attackers  consistently  look  to  exploit 
known  security  flaws,  so  a  critical  preven¬ 
tative  measure  is  to  regularly  update  all 
computers  that  are  used  to  conduct  online 
banking  transactions.  Doing  so  ensures  the 
most  current  vendor  patches  and  security 
signatures  are  applied,  thus  providing  the 
most  up-to-date  security  available. 

Here’s  a  list  of  the  main  elements  that 
should  be  regularly  updated: 


■  Operating  system 

■  Antivirus  software 

■  Java 

■  Adobe  Flash 

■  Adobe  Reader 

■  Internet  browser 

■  Any  other  tools  or  programs  used  for 

downloading  files  or  Web  surfing 

One  of  the  most  common  infection 

methods  is  “drive-by  downloads”  where 
malicious  code  is  silently  downloaded  onto 
a  Web  surfer’s  computer  while  they  are 
surfing  the  Internet.  It  is  very  likely  that 
some  of  the  Eurograbber  victims  were  ini¬ 
tially  infected  by  these  drive-by  downloads. 

Maintaining  current  software  and  secu¬ 
rity  products  on  your  computer  will  provide 
the  most  protection  against  this  and  other 
popular  infection  techniques.  Addition¬ 
ally,  conducting  regular  antivirus  scans  can 
inform  users  of  existing  computer  infec¬ 
tions  so  they  can  take  action  to  remove  the 
malware. 

2.  Never  respond  to  unsolicited 
email.  Social  engineering  is  an  essen¬ 
tial  part  of  the  attack.  The  email  direct¬ 
ing  the  customer  to  “click  on  the  link  to 
improve  online  banking  security”  is  the 
key  that  opens  Pandora’s  Box  and  begins 
the  attack.  These  messages  are  known  as 
phishing  emails,  if  the  banking  customer 
recognizes  the  email  as  unsolicited  and 
does  not  click  on  the  link,  their  desktop  will 
not  be  infected  and  the  Eurograbber  attack 
will  not  occur.  It  is  very  important  to  never 
respond  to  unsolicited  emails  from  your  fi¬ 
nancial  institutions. 

If  the  message  makes  you  worry,  then 
contact  your  bank  directly.  Don’t  use  the 
phone  number  provided  in  the  email,  but 
instead  look  up  the  number  in  a  different 
source.  Inform  the  bank  of  the  email  and 
follow  their  guidance. 

As  a  user,  following  best  practices- 
keeping  the  OS,  applications  and  security 
current  on  your  computer  and  exercising 
caution  with  unsolicited  emails  and  during 
Internet  surfing-can  provide  some  of  the 
very  best  protection  against  becoming  in¬ 
fected.  -Bill  Brenner 


February  2013  www.csoonline.com  13 


:::  Log  Rhythm 

The  Platform  for  Big  Data 
Security  Analytics. 

www.LogRhythm.com 


SI  EM  2.0 


What  to  Look  for  in  the 
COSO  Framework  Update 

We  interview  Richard  M.  Steinberg,  who  helped  created  the  widely 

used  enterprise  risk  management  approach  BY  BRADLEY  SCHAUFENBUEL 


AS  THE  BUSINESS  WORLD  FOCUSES 
more  on  risk  management,  more  people  are 
turning  to  the  frameworks  developed  by  the 
Committee  of  Sponsoring  Organizations  of 
the  Treadway  Commission  (COSO).  COSO  is  a 
joint  initiative  of  five  private-sector  organiza¬ 


tions  dedicated  to  providing  thought  leader¬ 
ship  on  enterprise  risk  management  (ERM), 
internal  control  and  fraud  deterrence. 

Richard  Steinberg  is  the  lead  project  part¬ 
ner  of  the  PricewaterhouseCoopers  team  that 
in  1992  conceptualized  and  developed  the 


COSO  Internal  Control  Integrated  Framework. 
The  framework-which  is  in  the  process  of 
being  updated,  with  a  final  draft  expected 
this  April-is  widely  used  today  for  designing, 
implementing  and  evaluating  the  effective¬ 
ness  of  internal  controls. 


14  www.csoonline.com  FEBRUARY  2013 


iStockphoto 


Steinberg  also  led  development  of  the 
COSO  Enterprise  Risk  Management  Integrat¬ 
ed  Framework,  developed  in  2004.  This  is  a 
broader  framework  that  incorporates  con¬ 
cepts  of  the  Internal  Control  framework.  It  de¬ 
scribes  the  critical  principles  and  components 
of  an  effective  ERM  process,  namely,  how 
important  risks  should  be  identified,  assessed, 
responded  to  and  controlled. 

Bradley  Schaufenbuel,  director  of  informa¬ 
tion  security  at  Midland  States  Bank,  recently 
interviewed  Steinberg  for  CSO. 

CSO:  Has  the  COSO  framework  for  in¬ 
ternal  control  met  your  expectations  for 
adoption? 

Steinberg:  It’s  the  standard  used  by 
the  vast  majority  of  public  companies  for 
enhancement  and  reporting  as  required  by 
Sarbanes-Oxley.  It  has  resulted  in  a  common 
language  of  internal  control  that  was  absent 
before  its  issuance,  as  well  as  more  commonly 
understood  concepts  and  terminologies  of 
internal  control.  I’ve  also  seen  enhanced  com¬ 
munication  among  executives  across  com¬ 
panies.  Its  principles  and  key  concepts  have 
stood  the  test  of  time,  so  yes,  it  has  met  my 
expectations. 

You  have  said  you  believe  that  the 
updated  internal  control  framework  to  be 
a  substantial  improvement  over  the  old 
one.  Why? 

The  key  enhancement  is  that  certain  con¬ 
cepts  inherent  in  the  1992  version-elements 
of  control,  attributes  related  to  each  prin¬ 
ciple-have  been  made  more  explicit.  Also,  the 
surrounding  discussions  have  been  brought  up 
to  date  by  focusing  on  new  business  models, 
evolving  technology,  third-party  involvement 
and  fraud  detection. 

The  principles  inherent  in  the  framework 
have  been  highlighted,  and  if  that’s  what  se¬ 
curity  managers  have  been  focusing  on,  it  will 
be  received  well.  If  the  hope  is  for  a  great  deal 
more  detail  on  information  security,  then  it’s 
probably  not  going  to  satisfy  those  hopes. 

Does  the  greater  recognition  of  third 
parties  highlight  the  need  for  organiza¬ 
tions  to  increase  their  focus  on  improv¬ 
ing  vendor  management  and  oversight 
programs? 


The  draft  updated  internal  control  frame¬ 
work  certainly  focuses  better  on  the  risks  in¬ 
volved  and  the  relationships  with  third  parties 
and  how  to  better  manage  those  risks. 

We’re  not  only  talking  about  relationships 
with  vendors  but  also  other  types  of  third 
parties-service  providers,  representatives, 
agents  operating  in  foreign  locations,  business 
partners.  They’ve  all  received  more  focus  in 
this  update. 

There  has  been  criticism  that  the  COSO 
risk-management  framework  is  too  com¬ 
plex.  What  can  be  done  to  simplify  it  or 
change  this  perception? 

Risk  management  is  simple  in  concept  but 
can  be  challenging  to  deal  with  in  the  real 
world.  I  may  be  a  bit  biased,  but  I  don't  think 
it’s  extraordinarily  complex. 

The  cube  in  the  framework  brings  concepts 
together  in  a  meaningful  way.  But  people  who 
don't  focus  on  risk  on  a  regular  basis  or  as  a 
process  might  need  to  work  a  bit  to  get  their 
arms  around  it. 

There  are  other  ways  to  do  that  than  focus¬ 
ing  solely  on  the  framework:  they  can  pursue 


educational  and  training  programs  to  gain 
that  understanding. 

The  framework’s  Application  Techniques 
volume  is  a  tool  that  security  managers  might 
want  to  look  into,  because  there’s  a  wealth  of 
knowledge  for  specific  ways  to  apply  risk  man¬ 
agement  effectively. 

How  pervasive  are  ERM  programs  that 
truly  comport  with  the  principals  envi¬ 
sioned  by  the  COSO  risk-management 
framework? 

Most  companies  practice  risk  management, 
but  it’s  not  very  common  for  companies  to 
have  all  the  elements  of  what  COSO  defines 
as  an  effective  ERM  framework.  For  example, 
there  are  some  that  might  not  really  relate 
risks  to  their  business  objectives.  They  might 
not  have  set  forth  an  established  risk  appetite 


or  risk  tolerances,  or  a  portfolio  view  of  risk. 

Does  a  company  need  to  apply  the  en¬ 
tire  framework  to  benefit  from  ERM? 

There  are  principles  set  forth  in  the  ERM 
framework  that  need  to  be  in  place  in  order 
for  a  company  to  have  what  is  defined  as  an 
“effective"  ERM  process.  I  do  think,  however, 
that  many  companies  take  significant  steps 
to  manage  their  risks  without  having  what 
the  COSO  framework  defines  as  ERM.  In  some 
instances,  companies’  risk-management  pro¬ 
cesses  have  served  them  well,  but  in  other 
cases  they  have  not.  For  example,  we  saw 
major  banks  in  2007  not  focusing  sufficiently 
on  what  are  called  “black  swans,”  thereby 
missing  what  were  considered  unlikely  events 
that  indeed  resulted  in  having  a  major  nega¬ 
tive  impact  on  those  organizations. 

One  of  the  challenges  of  implementing 
a  comprehensive  ERM  program  is  what  a 
colleague  of  mine  calls  “blank-stare  syn¬ 
drome.”  No  matter  how  hard  we  try,  ERM 
is  an  awful  lot  for  folks  to  take  in  because 
there  are  so  many  moving  parts.  How  do 
we  get  everyone  on  the  same  page? 


That  is  certainly  a  challenge,  and  there  are 
no  easy  answers.  I’d  like  to  start  with  the  idea 
that  the  framework  is  not  a  primer  on  risk 
management.  It's  aimed  at  business  people 
with  some  background  in  managing  business 
risk.  The  executive  summary  may  be  helpful 
to  boards  of  directors  who  provide  oversight 
to  get  a  sense  of  what’s  involved  in  ERM.  But 
the  framework  does  not  attempt  to  take  the 
place  of  what’s  obtained  through  experience, 
education  and  training. 

It’s  also  important  to  understand  that  the 
COSO  ERM  framework  is  not  a  how-to  on  de¬ 
veloping  ERM.  It  describes  what  an  effective 
ERM  process  is,  what  it  contains  and  repre¬ 
sents,  and  how  it  works.  But  it  does  not  set 
forth  a  specific  methodology  for  implement¬ 
ing  an  ERM  process.  So  to  get  on  the  same 


“It’s  not  very  common  for  companies  to 
have  all  the  elements  of  what  COSO 
defines  as  an  effective  ERM  framework.” 


February  2013  www.csoonline.com  15 


BY  THE  NUMBERS 


a  Risk 


page,  it’s  useful  to  start  with  the  framework 
and  the  key  concepts  of  risk  management  and 
then  select  a  methodology  for  making  it  hap¬ 
pen  in  your  company. 

One  approach  that  I  find  helpful  is  to  use 
risk  concepts  in  the  strategic  development 
process  and  related  implementation  planning. 
Another  approach  is  to  set  an  ERM  program 
for  one  business  unit,  with  a  leader  who  is 
well  respected,  and  see  the  successes  and 
benefits  it  brings  to  that  unit  and  how  it  can 
be  extended  to  others  in  the  company. 


a  positive  force  in  moving  an  organization  to 
deal  effectively  with  risk  in  a  strategy  setting 
and  integrate  risk-management  principles 
into  business  objectives. 

With  the  Dodd-Frank  Act,  we  are  see¬ 
ing  the  implementation  of  ERM  pro¬ 
grams,  direct  board  oversight  over  ERM, 
and  the  appointment  of  chief  risk  offi¬ 
cers  becoming  mandated  for  some  larger 
banks.  Do  you  foresee  similar  regulations 
coming  in  industries  other  than  financial 
services? 


Perceptions  of  Risk 

Percentage  of  respondents 
to  an  ISACA  survey  who 
characterized  these  employee 
activities  as  “high  risk”: 

67% 

Using  an  online  file-sharing 
service  (e.g.,  Dropbox  or  Google 
Docs)  for  work  documents 

57% 


“I  believe  we’ll  see  a  continued  evolution  to 
stronger  risk  management,  especially  as 
executives  see  the  business  benefits.” 

-RICHARD  STEINBERG 


In  a  midsize  company,  you  can  take  what 
I  call  a  big-bang  approach,  where  an  ERM 
process  is  developed  and  rolled  out  for  the 
entire  organization.  This  can  work  if  you’ve 
got  the  support  of  top  management  to  de¬ 
velop  and  design  how  risk  management  will 
be  deployed,  with  an  appropriate  implemen¬ 
tation  plan,  along  with  training  and  all  the 
elements  of  an  effective  project  and  change 
management. 

What  advice  would  you  give  a  security 
leader  in  an  organization  that  does  not 
have  an  effective  ERM  program? 

It  might  be  useful  to  work  together  with 
other  corporate  leaders  such  as  the  CFO  and 
chief  compliance  officer.  In  some  companies, 
this  group  of  executives  has  been  able  to  in¬ 
fluence  and  persuade  the  CEO  to  support  an 
initiative  that  brings  ERM  to  the  fore. 

It  seems  that  initiatives  concerning 
good  corporate  governance  are  often 
event-driven.  How  can  we  convince  orga¬ 
nizations  to  adopt  effective  processes  for 
internal  control  and  ERM  without  waiting 
for  the  next  meltdown? 

If  CFOs,  compliance  officers  and  other  se¬ 
nior  staff  managers  band  together,  they  can 
be  a  major  influence  in  getting  senior  opera¬ 
tions  executives  to  consider  that  risk  man¬ 
agement  is  good  management.  They  can  be 


Not  in  the  near  term.  Flowever,  boards  of 
directors  across  industries  are  providing  much 
closer  oversight  into  risk-management  pro¬ 
grams  and  are  suggesting  to  chief  executives 
that  there  should  be  a  greater  focus  on  risk 
management.  So  the  pressure  is  coming  from 
that  direction  rather  than  inside  the  Beltway. 

You  have  witnessed  the  development 
of  ERM  for  several  decades  now.  In  what 
directions  do  you  foresee  it  heading  in 
the  near  and  distant  future? 

I  believe  we’ll  see  a  continued  evolution 
to  stronger  risk  management,  especially  as 
executives  see  the  business  ben¬ 
efits,  like  ensuring  that  the  supply 
chain  continues  unaffected  and 
doesn’t  halt  manufacturing,  that 
you  don’t  have  the  type  of  fi¬ 
nancial  meltdown  that  we’ve 
seen  in  companies  in  recent 
years,  the  assurance  that  mar¬ 
keting  programs  in  foreign  loca¬ 
tions  achieve  their  stated  goals. 

The  risks  have  evolved,  and 
there  are  significant  new  ones  that 
need  to  be  dealt  with.  Often,  risk 
management  has  been  ad  hoc.  Now, 
executives  and  boards  of  directors  want 
to  take  a  more  disciplined  approach  to 
identifying,  analyzing  and  managing  risk. 


Downloading  personal  files- 
music,  apps,  etc.-onto  a  work- 
supplied  computer  or  smartphone 


81% 

Storing  their  work  passwords 
in  a  file  on  a  personal  device 


Source:  ISACA  IT  Risk/Reward  Barometer,  Nov  2012, 
based  on  1,407  U.S. -based  respondents. 


16  www.csoonline.com  February  2013 


iStockphoto 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 

On  the  Security  Issues  Important  to  You 
Delivered  right  to  your  desktop 

[Vj  CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

|Vj  CSO  Salted  Hash 

IT  security  news  and  analysis,  over  easy,  delivered  daily. 

[Vj  CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

[Vj  CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

[Vj  CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks,  facilities, 
employees,  intellectual  property  and  more. 

[Vj  CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as  well  as  tips 
for  educating  employees  and  corporate  leadership. 

[Vj  CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

[Vj  Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks  and  statistics. 

Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


BUSINESS  RISK  LEADERSHIP 


i  ~  f  — * 


.  &  it 


*  Risk 


Derek  Stater,  Editor  in  Chief 
dslater@cxo.com:  Twitter:  (aiderekcslater 


BLOG  POST 


New-School  Redux:  Catching  Up  with  Adam  Shostack 


IN  EARLY  2008,  ADAM 
Shostack  and  Andrew  Stew¬ 
art  released  the  book  The  New 
School  of  Information  Security. 
And  they  launched  a  blog  in  sup¬ 
port  of  the  book  and  its  message. 

I  wondered  about  how 
Shostack  perceives  the  state  of 
IT  risk  management  now,  and 
whether  he  thinks  progress  is 
being  made.  Here  are  the  high¬ 
lights  of  what  he  told  me: 

CSO:  What’s  the  premise  of 
New  School? 

Adam  Shostack:  The  premise 
is  that  we  need  to  get  more  em¬ 
pirical  and  scientific  about  how 
we  approach  security.  Learning 
more  about  incidents,  rather  than 
hiding  them.  Understanding  that 
people  are  a  critical  part  of  the 
equation  and  we  have  to  study 
and  understand  people  as  well  as 
the  technology. 

And  that  there’s  a  move¬ 
ment  [toward  more  empirical 
security  risk  management]  that 
we  try  to  give  some  form  to  and 
encapsulate. 

How  was  it  received? 

I  think  there  were  two  general 
things  people  said.  One  group  re¬ 
ally  loved  the  book  and  picked  up 
on  the  themes  and  said,  “This  is 
great  stuff.” 

The  other  people  said,  “It’s 
great  stuff,  but  it's  a  pipe  dream 
and  it's  never  going  to  happen.” 

There  weren’t  a  lot  of  people 
who  said,  “This  doesn't  make  any 
sense.”  This  science  stuff,  testing 
stuff,  it  works;  not  a  lot  of  people 
are  going  to  argue  with  that  ap¬ 
proach.  But  they  argued  with  the 
practicality. 


And  what’s  your  percep¬ 
tion  of  the  landscape  today? 

Is  there  a  movement  toward 
more  data-based,  statistically 
sound  risk  management?  Or 
just  a  lot  of  PR  noise? 

I  do  think  there’s  real  progress. 
Some  amazing  progress.  Reports 
like  the  Verizon  data  breach 
report,  like  the  one  White  Hat 
security  puts  out  about  the  state 
of  security  among  their  custom¬ 
ers....  Now  the  people  who  went 
that  route,  in  some  cases,  went 
through  an  inordinate  amount  of 


progress  in  these  ways. 

More  people  are  recogniz¬ 
ing  that  there  are  thousands  of 
breaches.  So  let’s  [compare  the 
data]. 

After  the  presidential  elec¬ 
tion,  Nate  Silver  entered  the 
mainstream  consciousness 
as  a  champion  of  data  and 
modeling  and  a  more  rigor¬ 
ous  approach  to  forecasting. 

I  liked  your  recent  blog  post, 
where  you  asked,  “Where  is 
the  Nate  Silver  of  information 
security?” 


back-and-forth  convincing  their 
PR  department  that  this  was  a 
good  idea,  to  give  away  some  of 
their  data.  But  I  know  that  some 
of  this  stuff  really  did  take  some 
inspiration  from  the  book. 

So  we've  got  more  data  now, 
and  more  desire  for  data. 

The  other  thing  I’m  super 
excited  about  is  that  some  of 
the  old  myths  about  what  hap¬ 
pens  after  a  data  breach-that 
your  share  price  tumbles,  that 
someone  always  gets  fired.  There 
are  still  some  of  those,  but  I  see 


At  this  point,  I  think  of  my  role 
a  little  bit  as  a  provocateur.  We 
made  a  set  of  points  in  the  book. 
People  nodded  and  said,  “Yeah 
that  makes  sense,”  and  we’re 
starting  to  see  these  proof  points, 
so  my  goal  now  is  to  get  people 
to  start  making  predictions.  And 
see  what  happens. 

Not  shooting  to  be  exactly 
right,  yet,  but  with  the  goal  of 
refining  the  predictive  mod¬ 
els  and  making  them  more 
accurate? 

Exactly. 


Aside  from  the  book,  what 
other  resources  would  you 
point  security  pros  to,  in  order 
to  strengthen  their  analytical 
approach? 

I’ve  talked  already  about  the 
data,  the  studies  that  are  avail¬ 
able.  So  let  me  plug  someone 
else’s  book:  Thinking,  Fast  and 
Slow,  by  Daniel  Kahneman,  who 
has  won  the  Nobel  Prize  in  eco¬ 
nomics.  It's  phenomenal.  My  copy 
is  chock  full  of  Post-It  notes  of 
stuff  I  want  to  get  back  to. 

I  have  it  right  here  in  front  of 
me.  I  said  earlier  that  we  have  to 
understand  how  the  decisions 
people  make  influence  security. 
So  I’m  tempted  to  just  pull  out 
one  random  Post-It  and  see  if  it 
applies.  Here  we  go: 

OK,  he  describes  an  ex¬ 
periment  he  did  [which  tested 
how  participants  responded 
to  messages  that  raised  the 
emotional  appeal  of  a  new  tech¬ 
nology].  People  who  received  an 
explanation  of  the  tech’s  benefits 
also  regarded  that  technology  as 
less  risky.  So  that  plays  directly 
into  how  you  think  about  your  se¬ 
curity  training  program.  If  you  are 
extolling  the  benefits  of  a  new 
technology,  you  are  incidentally 
causing  people  to  think  it’s  less 
risky.  So  be  careful  to  balance  the 
messaging  so  they  understand 
the  real  risks  [and  how  to  use  the 
technology  correctly]. 


■  Read  more  of  this  interview 
on  Editor  in  Chief  Derek  Slater’s 
blog,  Risk’s  Rewards:  http:// 
blogs.csoonline.com/blog/ 
risks-rewards. 


18  www.csoonline.com  FEBRUARY  2013 


Adam  Shostack 


Want  to  be 
in  the  know 
about  the 
latest 
security 
topics  and 
trends? 


Become  a  CSO 


You’ll  gain  exclusive  access  to  premium 

content  and  resources,  including: 

■  What  to  buy.  In-depth  reviews  of  security 
and  IT  solutions 

■  Executive  and  Peer  Interviews  and  Insights. 
Deep  dives  with  the  industry’s  top  thinkers 

■  Practical  tips.  How-to  articles  for  security 
and  IT  professionals 

■  Exclusive  research  &  analysis.  Incisive  reports, 
case  studies,  and  more 

■  How  to  get  ahead.  Career  advice  from  industry 
experts  and  peers 

■  Invitations  to  select  events.  Get  the  inside  edge 


To  register  for  Insider  exclusive  content  visit: 

www.csoonline.com/insiders/index 


BUSINESS  RISK  LEADERSHIP 


20  www.csoonline.com  FEBRUARY  2013 


15  Tips  for  Landing— and 
Acing — a  Job  Interview 

Talk  about  teamwork,  be  prepared  to  discuss  your  weaknesses,  don’t  forget  to  interview 
the  interviewer,  and  more  advice  from  an  executive  recruiter  by  jeff  snyder 


1.  Write  a  great  resume  to  open  the  door: 

Interviews  are  granted  to  those  whose  re¬ 
sumes  demonstrate  accomplishments,  contri¬ 
butions  and  value.  If  you’re  not  a  great  writer 
and  you  have  trouble  tooting  your  own  horn, 
seek  help  from  industry  friends  or  consider  a 
security-resume  writer. 

2.  Keep  phone  interviews  brief:  Even 
if  you're  a  local  candidate,  nowadays  first 
interviews  are  frequently  conducted  over  the 


phone.  Listen  very  closely  to  the  questions 
asked  and  answer  them  concisely.  This  is  not 
the  time  to  sell  yourself  because  the  caller 
is  usually  only  trying  to  confirm  what  your 
resume  suggests.  Have  a  set  of  examples  pre¬ 
pared  in  advance  to  back  up  any  claims  you 
made  on  your  resume. 

B.  Wow  them  face-to-face:  Since  compa¬ 
nies  have  a  variety  of  dress  codes,  it  is  impor¬ 
tant  to  find  out  how  a  prospective  employer 


wants  you  to  dress  for  an  interview.  A  com¬ 
pany  that  has  a  business-casual  dress  code 
may  want  you  to  interview  in  a  suit  and  tie. 
Don’t  assume,  ask. 

4.  Listen  carefully:  Interviews  are  won  or 
lost  in  a  matter  of  minutes  based  on  whether 
a  job  candidate  is  listening  and  answering  the 
interviewer’s  questions  or  whether  they  bring 
their  own  agenda  to  an  interview.  Focus  on 
the  interviewer’s  questions  first. 


iStockphoto 


5.  Maintain  personal  integrity:  Employ¬ 
ers  do  care  whether  the  claims  on  your  resume 
match  up  to  what  you  can  actually  do.  Don’t 
put  information  on  your  resume  that  you  can’t 
back  up  with  experience  and  examples.  If 
you’ve  only  read  about  new  video  surveillance 
systems  or  you've  only  been  briefly  exposed 
to  a  new  firewall  technology,  be  careful  not  to 
oversell  your  experience. 

6.  Know  yourself:  You  can’t  know  every¬ 
thing  about  a  company  before  you  interview, 
but  you  do  have  to  be  able  to  articulate  your 
strengths.  Don’t  be  caught  unprepared.  Every¬ 
one  has  weaknesses  and  is  not  good  at  some¬ 
thing.  Know  before  you  walk  into  an  interview 
what  you’re  not  good  at  and  how  you’re  going 
to  talk  about  that. 

7.  Rehearse  selected  interview  topics: 

If  you’ve  been  laid  off  or  fired  from  previous 
jobs,  don't  wait  until  you  step  into  an  inter¬ 
view  to  decide  how  you’re  going  to  explain 
gaps  in  your  employment.  This  is  the  kind  of 
topic  that’s  good  to  rehearse  ahead  of  an  in¬ 
terview  so  you  know  exactly  what  you’re  going 
to  say  when  you’re  under  pressure. 

8.  Articulate  how  you  can  contribute: 
Most  businesses  are  doing  more  with  fewer  re¬ 
sources  these  days.  Prepare  examples  of  past 
contributions  to  give  an  employer  an  idea  of 
how  you  might  contribute  to  their  organiza¬ 
tion.  Often  what  will  separate  you  from  your 
competition  is  talking  about  the  way  you  see 
yourself  contributing  to  the  team,  as  opposed 
to  only  focusing  on  your  individual  contribu¬ 
tion.  This  means  that  you  need  to  prepare 
examples  of  how  you’ve  identified  risk,  how 
you’ve  mitigated  risk,  how  you’ve  made  a 
company  more  secure  or  more  aware  of 
threats  and  vulnerabilities,  and  so  on.  Be  able 
articulate  what  you’ve  done  to  move  a  busi¬ 
ness  forward. 

9.  Research  corporate  and  risk  culture: 

Do  your  homework  before  going  in  and  avoid 
interviewing  with  companies  where  you  won't 
appreciate  the  corporate  culture.  Researching 
a  company  beforehand  allows  both  you  and 
the  potential  employer  to  avoid  investing  time 
in  an  incompatible  pairing-for  example,  if  a 
company  frowns  on  multiple  piercings  or  vis¬ 
ible  tattoos  but  that  is  your  chosen  style. 


Learn  about  a  company’s  risk  culture  be¬ 
fore  you  interview.  If  your  experience  is  from  a 
highly-regulated  bank,  for  example,  and  you 
don’t  know  how  to  build  a  business  case  with¬ 
out  leaning  on  the  Gramm-Leach-Bliley  Act  to 
make  your  case,  you  probably  won't  interview 
well  at  a  company  that  is  much  less  regulated 
and  where  you  have  to  support  your  case  with 
business  value. 

10.  Use  Linkedln  for  research  appropri¬ 
ately:  Linkedln  is  a  handy  research  resource. 
Use  the  site  to  research  people  who  will  be 
part  of  your  interview  process,  or  to  find  peo¬ 
ple  who  used  to  work  where  you’re  about  to 
interview.  Don’t,  however,  make  the  mistake 
of  sending  an  unsolicited  Linkedln  invitation 
to  people  you’ve  researched.  Some  people  will 
think  this  is  creepy  and  it  could  adversely  af¬ 
fect  your  interview  process. 

Learn  about  a 
company’s  risk 
culture  before 
you  interview. 

11.  Prepare  business  and  technical 
questions:  If  you’ve  done  your  research  on  a 
prospective  employer,  one  of  the  best  ways  to 
demonstrate  that  is  by  asking  questions.  Pre¬ 
pare  a  few  questions  for  the  employer  based 
on  your  research.  In  many  cases,  you  may  wind 
up  knowing  more  about  the  company  than 
the  person  who’s  interviewing  you.  Some  of 
your  questions  should  be  technical  security¬ 
centric  questions.  Others  should  focus  on 
business  issues  you  learned  about  while  con¬ 
ducting  your  research.  Some  questions  should 
be  specifically  for  the  hiring  manager.  Get  to 
know  the  person  you’re  considering  spending 
eight  or  more  hours  per  day  with. 

12.  Interview  the  interviewer:  It  is  your 
job  to  interview  a  prospective  employer  as 
much  as  it  is  the  employer’s  job  to  interview 
you.  Build  questions  that  will  help  you  learn 
about  a  hiring  manager’s  managerial  style 
and  expectations.  Ask  others  you'll  interview 


with  who  are  not  the  hiring  manager  what  it 
is  like  to  work  for  the  hiring  manager.  Do  this 
homework  before  you  accept  an  offer.  Don’t 
wait  until  you’ve  already  given  up  your  current 
job  to  determine  that  you’ve  gone  to  work  for 
the  wrong  boss. 

13.  Don’t  put  the  interviewer  on  the 
spot:  There  is  a  fine  line  between  showing 
interest  in  a  position  and  backing  an  inter¬ 
viewer  into  a  corner.  Come  up  with  a  way  to 
clearly  demonstrate  your  interest  in  a  position 
if  you’re  truly  interested,  but  don’t  press  the 
interviewer  for  an  immediate  assessment  of 
your  interview  performance.  The  goal  of  ask¬ 
ing  questions  is  not  to  put  the  interviewer  on 
the  spot  but  to  gather  information. 

14.  Stay  sharp  from  beginning  to  end: 
You  want  to  be  yourself  when  you  interview. 
Stay  relaxed  from  start  to  finish,  but  resist  the 
temptation  to  get  too  comfortable  too  soon 
by  assuming  that  the  job  is  yours  and  that  you 
can  let  your  guard  down. 

By  the  way,  there  is  no  excuse  for  being 
late  to  the  interview.  Always  arrive  early  and  if 
need  be  just  relax  in  the  parking  lot  and  get  a 
feel  for  the  organization  until  10  minutes  be¬ 
fore  you  are  expected.  When  asked  to  deliver 
documents  or  complete  an  online  application 
process,  do  so  with  diligence  and  deliver  on  or 
before  the  agreed-upon  due  date. 

15.  Follow  up  after  the  interview:  Inter¬ 
viewers  aren’t  thanked  for  their  time  as  often 
as  you  might  think.  Have  a  follow-up  plan 

in  mind  before  you  engage  in  an  interview.  If 
you’re  going  to  use  email,  make  sure  you  get 
business  cards  from  those  you  encounter.  If 
you’re  going  to  use  a  handwritten  thank-you 
note,  make  sure  you  have  the  correctly  spelled 
names  and  titles  of  the  interviewers,  and 
make  sure  you  have  correct  mailing  address 
information. 

Be  sure  you  don’t  leave  anyone  out  when 
you  follow  up.  You  never  know  who  might  be 
impressed  by  your  follow-up  or  who  might  be 
offended  if  they’ve  been  left  out. 

Jeff  Snyder  is  the  president 
of  SecurityRecruiter.com,  an  executive 
search  firm  specializing  in  the  recruitment 
of  security,  risk-management  and 
compliance  professionals. 


February  2013  www.csoonline.com  21 


SOCIAL  SECURITY 


■  Lead 


Many  IT  Pros  Are  Unaware  of 
the  Most  Common  Threats 

KASPERSKY,  IN  PARTNERSHIP  WITH  B2B  INTERNATIONAL,  HAS  CONDUCTED  A 
survey  twice  in  two  years  that  covers  IT  professionals  working  for  large  and  midsize  businesses. 
The  aim  of  the  annual  survey  is  to  find  out  what  IT  specialists  think  of  corporate  security  solu¬ 
tions,  and  to  determine  their  level  of  knowledge  about  current  threats,  what  sort  of  problems 
they  face  most  often  and  their  ability  to  evaluate  the  risks  associated  with  cyberthreats. 

Kaspersky  says  the  sample  includes  more  than  3,300  senior  IT  professionals  from  22 
countries.  All  respondents  were  influential  in  creating  their  companies'  IT  security  policy  and 
had  a  good  knowledge  of  both  IT  security  issues  and  general  business  matters  (finance,  HR, 
and  so  on).  Globally,  respondents  were  drawn  from  companies  of  three  sizes:  small  businesses 
(10-99  computerized  seats),  medium  businesses  (100-999  seats)  and  enterprise  organizations 
(1000+  seats). 

A  summary  of  the  study  says: 

“The  survey  revealed  that  31  percent  of  IT  professionals  have  not  heard  of  any  of  the  most 
common  cyberthreats,  including  those  targeting  the  corporate  sector.  It  turned  out  that  only  31 
percent  of  respondents  were  aware  of  SpyEye  and  Zeus,  while  Duqu  went  largely  unnoticed- 

only  13  percent  of  those  surveyed  having 
heard  of  the  computer  worm.  It  should 
be  noted  that  nearly  half  of  those  who 
have  heard  about  these  threats  consider 
them  a  danger  to  their  business.  However, 
the  general  cyberthreat  awareness  of  the 
modern  IT  professional  leaves  much  to  be 
desired." 

Despite  this  widespread  lack  of  infor¬ 
mation,  the  research  goes  on  to  say  that 
preventing  IT  security  breaches  was  the 
top  concern  for  IT  professionals  surveyed. 
Among  those  polled,  31  percent  said  pre¬ 
venting  security  breaches  is  the  biggest 
worry.  Other  top  responses  included  data 
protection  (another  security  concern)  at 
27  percent,  and  ensuring  IT  systems  are 
used  fully  to  maximize  IT  infrastructure 
ROI  at  23  percent. 

Clearly,  security  is  on  the  minds  of  IT 

leaders.  So  if  these  folks  are  so  concerned  about  their  organization’s  security— and  worried  they 
might  be  breached-why  are  so  many  still  unaware  of  some  of  the  most  well-known,  highly  pub¬ 
licized  threats  out  there? 

This  next  set  of  stats  helps  us  understand  why:  The  research  finds  that  44  percent  of  respon¬ 
dents  indicated  budget  constraints  are  an  obstacle  to  tighter  security  within  their  organization. 
And  37  percent  cited  a  significant  degree  of  misunderstanding  of  IT  security  issues  among  those 
in  charge  of  the  purse  strings.  Insufficient  numbers  of  trained  personnel  to  deal  with  IT  threats  is 
the  third-most-cited  problem.  -Joan  Goodchild 


22  www.csoonline.com  FEBRUARY  2013 


Why  do  I  never 
worry  about 
Facebook  privacy? 
Because  I  never 
share  anything 
on  Facebook 
which  I  want 
to  keep  private. 

Not  the  right  place. 

Harry  McCracken 

@harrymccracken 


We  secretly 
replaced  the 
Java  on  millions 
of  users’  machines 
with  an  insecure 
blob  of  hacker 
bait.  Let’s  watch 
what  happens. 

Ed  Bott 

@edbott 

“Strong”  passwords 
are  8  characters 
or  more?  I’m 
turning  off  the 
damned  Internet 
for  a  while  after 
reading  that. 

Jack  Daniel 

@jack_daniel 


The  5  Most  Common  Myths  About  Awareness 


I'M  OFTEN  AMAZED  BY  ALL  THE 
myths  and  misconceptions  that  pervade  the 
security  community  when  it  comes  to  security 
awareness  training.  Here  are  the  most  com¬ 
mon  falsehoods  I  have  heard,  and  why  they 
are  wrong. 

1.  Training  Does  Not  Work 

I  often  hear  people  say,  “Awareness  does  not 
work.  I  have  never  seen  an  awareness  program 
actually  change  people’s  behavior." 

To  be  honest,  I  have  to  agree  with  this 
statement.  Most  awareness  programs  in  the 
past  have  failed  to  change  behavior.  However, 
that  is  because  most  programs  in  the  past 
were  not  designed  to  change 
behavior.  Their  only  goal  was  to 
meet  compliance  requirements, 
to  check  the  box.  As  a  result,  the 
absolute  minimum  was  invested. 

These  bare-minimum  aware¬ 
ness  programs  are  the  ones 
where  someone  runs  a  single 
PowerPoint  presentation  once 
a  year,  or  perhaps  sends  out  a 
quarterly  security  awareness 
newsletter. 

For  an  awareness  program  to 
effectively  change  behavior,  you 
need  to  create  a  program  that 
is  designed  from  the  ground  up  to  change 
behavior. 

2.  It’s  Not  Worth  It  Because 
Someone  Will  Still  Mess  Up 

People  tell  me  that  awareness  is  a  failure; 
that  no  matter  how  much  you  train  people, 
there  is  always  a  small  group  of  people  that 
will  stilt  fall  victim.  Folks,  security  is  all  about 
reducing  risk,  not  eliminating  it. 

Awareness  is  nothing  more  than  another 
security  control.  Why  people  hold  aware¬ 
ness  to  a  different  standard  is  something  I’ll 
never  understand.  Awareness  is  no  different 
than  encryption,  firewalls  or  intrusion  detec¬ 
tion.  However,  with  awareness,  you  can  get 


a  tremendous  return  on  your  investment,  in 
many  cases  reducing  up  to  95  percent  of  the 
human  risk,  according  to  measurements  taken 
in  phishing  tests.  Show  me  any  other  control 
that  will  get  you  that  type  of  ROI. 

3.  People  Already 
Know  What  to  Do 

I’ve  read  interesting  reports  from  academ¬ 
ics  that  say  people  already  know  what  secure 
behaviors  to  follow,  they  just  choose  not  to 
follow  them. 

Wow,  where  are  these  people  getting  their 
data?  With  the  organizations  I  work  with,  not 
only  do  people  usually  have  no  idea  what 


secure  behaviors  they  should  follow,  but  they 
are  also  hungry  to  learn.  They  know  there  are 
bad  guys  online,  but  they  don’t  know  what 
to  do  to  protect  themselves  from  them.  The 
problem  is  not  the  people.  The  problem  is  that 
we  are  not  effectively  training  them. 

What  is  the  number-one  thing  that,  in  my 
experience,  people  did  not  know?  They  had 
no  idea  that  keeping  operating  systems  and 
applications  current  was  critical  to  keeping 
their  computers  and  mobile  devices  secure. 

4.  It’s  All  About  Prevention 

When  people  discuss  awareness,  they  usually 
focus  on  just  prevention— they’re  trying  to 
implement  the  idea  of  the  “human  firewall." 


While  prevention  is  important,  why  limit 
ourselves?  Why  not  train  people  to  become 
human  sensors  as  well? 

Teach  workers  the  indicators  of  a  compro¬ 
mise  and  have  them  report  potential  inci¬ 
dents.  For  example,  if  you  are  doing  phishing 
assessments  internally,  you  should  not  just 
track  how  many  people  fall  victim,  but  also 
how  many  detect  and  report  the  attacks.  Just 
think  how  much  stronger  your  organization 
would  be  then. 

5.  It’s  Simple 

Many  people  I  work  with  assume  that  creat¬ 
ing  an  awareness  program  is  simple.  If  your 

only  goal  is  compliance,  then  yes, 
awareness  programs  are  simple. 
But  if  you  want  to  effectively  re¬ 
duce  risk  by  changing  human  be¬ 
havior,  you  need  to  have  a  plan. 
Specifically,  you  need  to  identify 
who  you  are  targeting  in  your  pro¬ 
gram,  what  changes  in  behavior 
reduce  the  greatest  risks  to  your 
organization,  and  how  you  will 
engage  and  communicate  those 
changes  in  behaviors. 

One  of  the  most  common 
obstacles  to  effective  awareness 
programs  that  I  see  at  companies 
is  that  they  do  not  know  where  to  begin.  You 
can  find  a  complete  set  of  free  planning  re¬ 
sources  developed  by  the  community,  for  the 
community,  on  the  SANS  Securing  the  Human 
website,  which  includes  a  poster  that  docu¬ 
ments  each  step  to  take  and  provides  all  the 
templates  and  checklists  you  need  to  build 
your  program. 

I’m  a  huge  fan  of  awareness,  and  I  have 
seen  the  tremendous  impact  it  can  have. 
However,  until  we  as  a  community  start  secur¬ 
ing  the  Human  OS,  the  bad  guys  will  continue 
to  have  it  easy.  Technology  alone  can  only  go 
so  far. 

Lance  Spitzner  is  the  training  director  for 
the  SANS  Securing  the  Human  Program. 


February  2013  www.csoonline.com  23 


Cover  Story 


nn»pA 

EJtm  m  A 


Many  organizations  are  still  in  the  dark  when  it  comes  to  using  big  data  to 
improve  security.  But  for  Zions  Bancorporation,  it’s  old  hat.  By  Bill  Brenner 


A  YEAR  AGO— PERHAPS  A  BIT  MORE— BIG  DATA  WAS  JUST 


starting  to  take  its  place  among  the  industry’s  most-used  buzz  terms.  Today 
everyone  talks  about  it  as  a  potentially  powerful  piece  of  enterprise  security. 
But  there  are  still  plenty  of  practitioners  struggling  to  get  the  concept,  much 
as  they  struggled  to  figure  out  cloud  security  a  few  years  ago. 


But  Preston  Wood,  Zions  Bancorpora- 
tion’s  CISO  and  executive  VP  of  security, 
finds  it  puzzling  that  so  many  find  big  data 
such  a  struggle. 

He’s  been  using  big  data,  by  one  name 
or  another,  to  bolster  his  security  program 
for  decades.  In  recent  years,  Wood  and  his 
team  have  embarked  on  major  overhauls 
to  their  program  to  better  process  data 
that  moves  more  freely  and  quickly  in  and 
out  of  the  network.  By  adopting  such  tools 
as  Hadoop,  they’ve  greatly  increased  the 
amount  of  data  they  can  analyze  at  one 
time.  And  they’ve  figured  out  how  to  do  it 


in  something  close  to  real  time,  cutting  it 
down  from  the  full-day  task  of  the  past. 
This  is  the  story  of  how  Zions  pulled  it  off. 

What’s  Old  Is  New 

Though  the  term  “big  data”  is  new,  Zions 
has  been  applying  the  concept  since  the 
1990s,  when  it  began  using  its  immense 
supply  of  information  ( its  security  tools  and 
devices  alone  produce  about  3  terabytes  of 
data  per  week)  to  make  sense  of  its  security 
posture.  “We  had  a  big  data  strategy  before 
it  was  called  big  data,”  Wood  says. 

The  company  certainly  has  plenty  of 


24  www.csoonline.com  FEBRUARY  2013 


Lance  W.  Clayton 


Cover  Story 


data  to  draw  from.  It  has  eight  banking  opera¬ 
tions  and  500  physical  locations  throughout  the 
western  United  States.  It  was  an  early  adopter 
of  security  information  and  event  management 
(SIEM)  technology,  using  it  to  better  analyze  its 
data  flow. 

When  it  comes  to  big  data,  experts  tend  to 
focus  on  how  it  can  be  used  to  boost  revenue; 
to  a  lesser  extent,  they  may  note  and  asses  the 
security  risks  of  big  warehouses  of  (potentially) 
valuable  business  intelligence  and  analytics.  But 
Zions  did  something  different:  It  decided  to 
make  the  big  data  approach  a  central  piece  of  its 
security,  rather  than  looking  at  the  information 
as  just  another  potential  hole  in  its  defenses. 

The  company’s  massive  data  stores  are  used 
to  make  better  sense  of  the  activity  on  its  net¬ 
work.  If  someone  on  the  inside  or  outside  is  pok¬ 
ing  around,  trying  to  break  into  the  company’s 
systems,  the  clues  are  there,  waiting  to  be  sifted 
from  the  larger  data  supply. 

Enter  SIEM 

To  better  analyze  the  data  and  put  it  to  work  in 
the  security  department,  Wood  and  company 
became  early  adopters  of  SIEM  technology. 

Among  other  things,  SIEM  allowed  the  secu¬ 
rity  department  to: 

■  aggregate  data  from  multiple  sources,  includ¬ 
ing  network,  security,  servers,  databases  and 
applications.  That  provided  the  ability  to  con¬ 
solidate  monitored  data  and  avoid  missing 
critical  events. 

■  break  events  into  smaller  buckets  that  can  be 
studied  for  similarities,  which  may  point  to  at¬ 
tack  activity. 

■  produce  alerts  the  moment  abnormal  activity 
appears. 

But  by  2008,  Zions  hit  a  wall  with  SIEM.  The 

“We  had  a  big 
data  strategy 
before  it  was 
called  big  data.” 

-PRESTON  WOOD,  CISO  AND  EVP  OF 
SECURITY,  ZIONS  BANCORPORATION 


data  supply  had  become  too  big  and  complex 
to  handle.  It  was  now  taking  months  and  even 
years  to  piece  together  an  actionable  picture. 
The  sheer  force  of  data  accumulation  and  the 
frequency  of  analysis  of  events  had  simply  over¬ 
whelmed  SIEM. 

“It’s  not  that  SIEM  was  obsolete  and  needed 
to  be  replaced  with  something  else,”  Wood  says. 
“It’s  that  we  needed  something  to  augment  SIEM. 
It  was  great  for  telling  the  data  what  to  do,  but  it 
couldn’t  tell  us  what  to  do.” 

The  Problem  of  Scale 

The  team  went  looking  for  the  missing  piece  of 
the  puzzle  and  soon  found  it  in  Hadoop. 

Open-source  Hadoop  technology  is  the  engine 
that  drives  many  of  today’s  more  successful 
big-data  security  programs.  Companies  use  it 
to  gather,  share  and  analyze  massive  amounts 
of  structured  and  unstructured  data  flowing 
through  their  networks.  Wood  swears  by  it. 

“Now,  SIEM  is  for  some  data  sources  just  a  feed 
into  the  security  data  warehouse,”  Wood  says. 
Hadoop  became  the  central  ingredient  in  build¬ 
ing  that  warehouse.  The  company  began  mov¬ 
ing  to  Hadoop  in  2010.  Within  a  year,  the  team 
was  using  the  platform  exclusively.  The  positive 
results  came  fast  and  furious.  Since  Zions’  myr¬ 
iad  security  tools  and  devices  produce  several 
terabytes  of  data  per  week,  loading  a  day  of  logs 
into  the  system  would  be  a  daylong  process.  Now 
it’s  almost  happening  in  real  time. 

That’s  crucial  in  a  world  where  the  bad  guys 
have  developed  speedy  methods  of  attacking 
company  data  and  networks.  Hadoop  can  pro¬ 
cess  well  over  a  hundred  data  sources  at  a  time, 
uncovering  pings  on  the  perimeter,  malware 
infecting  parts  of  the  network,  social  engineer¬ 
ing  attempts  such  as  spear  phishing,  and  more. 

For  many  companies,  Hadoop  has  also  made 
big-data  security  affordable,  according  to  Adrian 
Lane,  CTO  and  security  analyst  at  Securosis. 
“The  cloud  has  made  big  data  more  accessible 
and  affordable.  Free  tools  like  Hadoop  have 
been  a  significant  driver.  It  always  comes  down 
to  money — what’s  cheaper,”  he  says. 

How  Hadoop  Works 

The  Apache  Hadoop  site  describes  the  technol¬ 
ogy  as  “a  framework  that  allows  for  the  distrib¬ 
uted  processing  of  large  data  sets  across  clusters 


26 


www.csoonline.com  FEBRUARY  2013 


of  computers  using  simple  programming  mod¬ 
els.”  It’s  designed  to  scale  up  from  single  servers 
to  thousands  of  machines,  each  offering  local 
computation  and  storage.  “Rather  than  rely  on 
hardware  to  deliver  high  availability,  the  library 
itself  is  designed  to  detect  and  handle  failures  at 
the  application  layer,  delivering  a  highly  available 
service  on  top  of  a  cluster  of  computers,  each  of 
which  may  be  prone  to  failures.” 

Hadoop  includes  the  following  modules: 

■  Hadoop  Common:  The  common  utilities 
that  support  the  other  Hadoop  modules. 

■  Hadoop  Distributed  FileSystem  (HDFS):  A 

distributed  file  system  that  provides  high- 
throughput  access  to  application  data. 

■  Hadoop  YARN:  A  framework  for  job  schedul¬ 
ing  and  cluster  resource  management. 

■  Hadoop  MapReduce:  A  YARN-based  system 
for  parallel  processing  of  large  data  sets. 

Other  Hadoop-related  projects  at  Apache 
include: 

■  Avro:  A  data  serialization  system. 

■  Cassandra:  A  scalable  multi-master 
database  with  no  single  points  of  failure. 

■  Chukwa:  A  data-collection  system  for 
managing  large  distributed  systems. 

■  HBase:  A  scalable,  distributed  da¬ 
tabase  that  supports  structured 
data  storage  for  large  tables. 

■  Hive:  A  data  warehouse  infrastruc¬ 
ture  that  provides  data  summari¬ 
zation  and  ad  hoc  querying. 

■  Mahout:  A  scalable  machine-learn¬ 
ing  and  data-mining  library. 

■  Pig:  A  high-level  data-flow  language  and  ex¬ 
ecution  framework  for  parallel  computation. 

■  ZooKeeper:  A  high-performance  coordina¬ 
tion  service  for  distributed  applications. 

Do  Your  Homework 

As  with  any  technology,  Hadoop  adopters  need 
to  be  aware  of  vulnerabilities  in  the  tool  itself,  as 
well  as  the  myriad  compatibility  and  configura¬ 
tion  problems  that  can  crop  up  with  any  such  tool. 


“It’s  not  that  SIEM 
was  obsolete 
and  needed  to 
be  replaced  with 
something  else. 

It’s  that  we  needed 
something  to 
augment  SIEM.” 

-PRESTON  WOOD 

“Like  some  of  the  [governance,  risk  and  com¬ 
pliance]  installs  we’ve  seen,  this  can  bomb  enor¬ 
mously  and  be  a  massive  money  waste,”  says  Alex 
Hutton,  Zions’  director  of  technology  and  opera¬ 
tions  risk  and  governance. 

His  advice?  Do  your  homework  before  rush¬ 
ing  in.  Take  all  the  necessary  time  to  flesh  out 
a  detailed  road  map  for  the  data  you’re  look¬ 
ing  to  process,  carefully  review  how  Hadoop 
will  behave  with  the  rest  of  your  network,  and 
develop  a  clear  taxonomy  model  and  strict  met¬ 
rics  for  it  to  follow. 

Hutton  says  Zions  achieves  that  by  using  a 
combination  of  custom  controls  and  the  vocab¬ 
ulary  for  event  recording  and  incident  sharing 
(VERIS)  framework,  which  provides  a  common 
language  for  describing  security  incidents  in  a 
structured  and  repeatable  manner. 

“Custom  controls  and  VERIS  are  our  ontolo¬ 
gies  for  metrics.  FAIR  [factor  analysis  of  infor¬ 
mation  risk]  is  our  risk  ontology.  Specific  metrics 
support  the  conceptual  categories  these  ontolo¬ 
gies  describe,”  he  says. 

If  you  don’t  have  these  things,  Hutton  adds, 
you  are  not  ready  to  use  big  data  as  a  security  tool. 

Because  Wood’s  team  did  all  its  homework 
before  rolling  out  the  new  warehouse,  Zions 
enjoyed  a  relatively  smooth  deployment.  As  long 
as  other  companies  also  do  their  homework,  they 
can  hope  for  similar  success,  Hutton  says. 


■  Contact  Managing  Editor  Bill  Brenner  at 
bbrenner(a)cxo.  com . 


February  2013  www.csoonline.com  27 


John  Weber 


Data  Protection 


5  Places  Your 
Data  Goes 
to  Hide 

From  auto-saved  spreadsheets  to  test  systems 
that  use  live  data-CISOs  warn  of  five  often- 
overlooked  sources  of  data  leaks  By  David  Geer 


“INFORMATION  WANTS  TO  BE 
free”  is  a  gross  understatement. 

Enterprises  blanket  their  systems 
with  security  in  an  attempt  to  saturate 
every  data  repository  with  protection. 
Organizations  affirm  that  logic,  layer¬ 
ing  access-management  tools,  security 
zones  and  much  more  to  safeguard 
information  assets.  Yet,  somehow,  data 
still  leaks.  Real-world  exposure  occurs 
virtually  every  day. 

Advanced  malware  attacks  get  a  lot 
of  ink,  but  careless  employees,  incom¬ 


plete  policies  and  the  invasion  of  con¬ 
sumer  technologies  create  plenty  of 
risks  as  well. 

Here  are  five  places  where  data 
sometimes  avoids  the  protective  eye 
of  security  systems  and  policies. 

1.  Spreadsheets 

Let’s  start  with  the  most  obvious  hiding 
place:  spreadsheets. 

Spreadsheets  contain  varied  and 
often  sensitive  data  sets:  financials, 
credit  card  numbers,  HR  data. 


This,  you  knew. 

When  enterprises  neglect  security 
measures  such  as  passwords  and  share 
these  files  via  email,  file  shares  and  col¬ 
laboration  suites,  that  data  could  end 
up  anywhere.  Employees  endanger 
spreadsheet  data  when  they  connect 
away  from  the  office  to  less-secure 
home  and  hot  spot  networks.  Lost  or 
stolen  laptops,  USB  keys,  DVDs  and 
smartphones  expose  the  files  when 
security  plans  neglect  disk-  or  file-level 
encryption,  or  both,  says  Craig  Shu- 


February  2013  www.csoonline.com  29 


Data  Protection 


mard,  a  former  CISO  of  Cigna  who’s 
now  turned  to  consulting. 

Meanwhile,  back  at  the  office, 
spreadsheets  are  still  falling  victim  to 
low- tech  exposures,  such  as  employees 
printing  them  out  and  leaving  them 
lying  around. 

In  one  example,  shared  by  Ed  Bei¬ 
lis,  former  CISO  of  Orbitz,  a  good 
employee  with  the  best  of  intentions 
combined  with  poor  security  to  put 
critical  data  in  a  bad  position.  “We 
found  out  one  of  our  payroll  people 
had  dumped  a  bunch  of  data  into  a 
spreadsheet  and  saved  it  on  a  laptop, 
which  was  stolen.  The  disk  was  not 
encrypted,”  he  says.  In  this  particular 
instance,  nothing  came  of  it,  says  Bei¬ 
lis,  but  something  certainly  could  have. 

So  spreadsheets  like  to  wander.  This 
you  also  knew. 

The  word  “spreadsheet  ”  used  to  refer 
to  Microsoft  Excel  documents  (unless 
your  career  goes  back  to  the  Lotus 
1-2-3  era).  Today,  of  course,  there  is  a 
handy  cloud-based  spreadsheet  tool  in 
Google  Docs.  (More  about  file-syncing 
services  in  a  moment.)  So  hunting  for 
errant  spreadsheet  data  means  looking 
in  more  and  more  places. 

Hopefully  you  knew  that  too. 

But  have  you  also  considered  that 
even  unattended  settings  may  leave 
gaping  security  holes  as  well? 

“If  you  don’t  take  into  account  how 
your  auto-save  settings  are  configured 
in  Excel,  the  application  can  create  a 
shadow  copy  on  your  local  machine, 
open  to  anyone  who  can  get  to  it ,”  notes 
Adam  Gordon,  CISO  of  New  Horizons 
Computer  Learning  Centers. 

2.  SharePoint 

SharePoint  is  Microsoft’s  file-sharing, 
collaboration  and  content-and-proj- 
ect-management  tool.  “SharePoint  is 
capable  of  handling  more  than  200  file 
types  out  of  the  box  without  any  cus¬ 
tomization,”  Gordon  says. 

Imagine  the  data  it  can  unleash. 

Enterprises  use  this  popular  appli¬ 


cation  to  enable  data-sharing  outside 
the  organization.  And  if  access  con¬ 
trols  and  other  security  essentials  are 
lacking,  these  installations  can  leave 
data  unguarded.  When  the  enterprise 
doesn’t  establish  consistent  policies 
about  permissible  SharePoint  data, 
when  transferred  or  terminated 
employees  retain  access  to  the  appli¬ 
cation,  or  when  the  enterprise  permits 
remote  access,  critical  information  can 
end  up  in  the  wind. 

Various  administrative  bloopers  and 
bad  judgment  calls  can  exacerbate 
these  risks.  Incorrectly  configuring 
services  that  analyze  and  present  data 
to  SharePoint,  such  as  Excel,  Visio  and 
Performance  Point  business  services, 
can  create  security  holes,  according 
to  Gordon.  Administrators  who  inap¬ 
propriately  grant  broad  access  rights  to 
people  who  shouldn’t  have  them — usu¬ 
ally  just  trying  to  provide  a  quick  fix  for 
some  workday  problem — also  create 
vulnerabilities,  Gordon  explains. 

The  simpler  the  mistake  and  the 
greater  the  exposure,  the  more  the 
embarrassment. 

“I  had  a  customer  who  inadvertently 
allowed  the  organization  to  post  propri¬ 
etary  financial  data  to  the  external  side 
of  its  SharePoint  portal,  allowing  cus¬ 
tomers  to  see  account  information  and 
transactional  data,”  says  Gordon.  In 
this  case,  a  live  data  feed  was  mistaken 
for  the  test  data  feed  and  errantly  input 
into  the  test  system.  When  the  test  sys¬ 
tem’s  output  was  shared  on  the  public 
side  of  SharePoint  with  the  partners 


and  vendors  who  were  examining  it  to 
fix  and  improve  the  test  system,  they 
saw  the  confidential  information  as 
well.  (More  on  the  horrors  of  test  sys¬ 
tem  misuse  a  bit  later. ) 

3.  Dropbox  (and  Similar  Services) 

Dropbox  is  similar  to  SharePoint  but  is 
potentially  more  hazardous,  since  the 
enterprise  customer  does  not  manage 
the  externally  hosted  cloud  file-sharing 
service.  Dropbox  and  its  ilk— Google 
Drive,  SkyDrive,  Box,  and  so  on — are 
designed  to  appeal  to  consumers  with 
extremely  simple  account  setup.  So  it’s 
almost  inevitable  that  they’d  wind  up 
being  used  for  enterprise  data. 

Once  Dropbox  is  sending  informa¬ 
tion  to  the  public  Internet  and  mobile 
devices  outside  the  enterprise  perim¬ 
eter,  that  data  can  make  its  way  to  eyes 
that  don’t  have  the  proper  authoriza¬ 
tion.  “Almost  anything  could  end  up  on 
a  public  Web  server  outside  the  com¬ 
pany’s  control,”  says  Beilis. 

In  addition  to  its  public  nature, 
passwords  are  another  of  Dropbox’s 
weaknesses. 

Obviously,  hackers  can  guess  weak 
Dropbox  passwords  or  acquire  user  IDs 
and  passwords  through  social  engi¬ 
neering,  says  Gordon.  The  most  com¬ 
mon  password  vulnerability,  however, 
is  the  reuse  of  Dropbox  passwords  on 
other  systems  (email,  websites),  which 
are  also  vulnerable  to  compromise. 

In  a  widely-publicized  debacle  from 
July  of  2012,  a  Dropbox  employee 
stored  an  unencrypted  document 
inside  the  file- sharing  app  that  listed 
users’  email  addresses.  An  attacker 
logged  into  the  employee’s  account 
using  a  password  the  employee  had 
reused  on  another,  infiltrated  site.  The 
attacker  then  obtained  a  copy  of  the 
unencrypted  document  and  used  the 
email  addresses  to  unleash  a  flood  of 
spam  on  Dropbox  users. 

The  password  reuse  problem  is, 
of  course,  not  unique  to  file-syncing 
services. 


30  www.csoonline.com  February  2013 


But  Dropbox  customers  have  faced 
internal  issues.  In  August  of  2011,  an 
employee  of  the  Chocolate  Emporium 
maliciously  copied  the  company’s 
entire  customer  database  to  Dropbox, 
including  credit  card  numbers.  The 
company  recovered  the  records,  but 
an  arrest  and  lawsuits  ensued,  accord¬ 
ing  to  the  Open  Security  Foundation’s 
DataLossDB.org. 

Provide  data  with  a  way  out  of  the 
organization,  and  sooner  or  later  some¬ 
one  will  try  to  abuse  it. 

4.  The  Printer  Graveyard 

Today’s  enterprise-class  printers  and 
fax  machines  come  with  internal  hard 


nants  of  credit  card  and  social  security 
numbers  were  left  on  these  devices,  or 
classified  military  or  government  data 
was  being  pulled  out  of  hard  drives 
left  in  these  devices  when  they  were 
decommissioned,”  says  Gordon. 

In  fact,  he  notes  printer  memory  can 
be  a  liability  even  before  it  goes  to  the 
great  scrap  yard  in  the  sky:  “Hackers 
have  also  perpetrated  bogus  service 
calls  posing  as  copier  service  techni¬ 
cians  in  order  to  steal  proprietary  IP 
from  devices  still  in  service.” 

Now,  not  just  anyone  can  easily 
hack  every  device  with  RAM.  “Many 
of  these  devices  have  proprietary  OSs 
such  that  you  cannot  break  the  code 


However,  when  IT  or  developers 
use  live  data  in  test  systems,  they  can 
expose  whatever  information  is  typi¬ 
cally  handled  by  the  departments  that 
will  be  using  the  systems. 

If  live  data,  including  personally 
identifiable  information  or  intellec¬ 
tual  property,  is  left  on  the  test  system, 
people  on  the  test  team  and  depart¬ 
mental  end  users  who  are  testing  the 
system  may  be  able  to  get  to  it ,  explains 
Ruben  Obregon,  former  CISO  at  a  mid¬ 
size  nonprofit. 

“And  if  the  test  data  remains  on  a  hard 
drive  that  is  reused  later,  still  others 
could  reach  it,”  he  says. 

“I  have  seen  production  data  make  its 


“There  have  been  cases  where  remnants  of  credit 

card  and  social  security  numbers  were  left  on  these 
devices,  or  classified  military  or  government  data 
was  being  pulled  out  of  hard  drives  left  in  these 

devices  when  they  were  decommissioned.” 

-ADAM  GORDON,  CISO  OF  NEW  HORIZONS  COMPUTER  LEARNING  CENTERS 


drives.  These  devices  store  images  of 
everything  they  process ,  exposing  data 
from  any  department  that  uses  them. 
Compromise  is  possible  when  admin¬ 
istrators  don’t  use  available  encryption 
and  user  IDs  and  don’t  automatically 
delete  data  off  the  drive  on  a  schedule, 
such  as  every  two  hours,  says  Shumard, 
the  former  Cigna  CISO. 

The  same  data  from  the  same  file 
types — such  as  company  directories 
and  strategic  plans  found  in  Word, 
Excel,  PowerPoint  and  innumerable 
other  formats — are  up  for  grabs  when 
these  devices  are  decommissioned  or 
returned  at  the  end  of  a  lease  without 
the  enterprise  first  wiping  the  drives  by 
degaussing  or  overwriting  them. 

“There  have  been  cases  where  rem- 


with  less  than  a  high  level  of  security 
knowledge,”  says  Ondrej  Krehel,  CISO 
of  Identity  Theft  911.  However,  when 
these  devices  process  documents,  the 
system  often  stores  the  document  in 
three  different  formats  in  three  differ¬ 
ent  places,  including  PDF  files  dropped 
in  temporary  folders  on  the  user’s  com¬ 
puter,  explains  Krehel. 

If  there  is  nothing  in  the  security  plan 
to  account  for  this  system  behavior, 
the  data  becomes  as  vulnerable  as  the 
user’s  computer  is. 

5.  Test  Systems  and 
Development  Environments 

The  enterprise  should  test  new  systems 
before  deploying  them  to  the  produc¬ 
tion  environment.  That’s  clear. 


way  into  development  environments 
that  lack  the  same  controls  normally 
found  in  production.  Whether  those 
are  access,  encryption  or  integrity  con¬ 
trols,  all  bets  are  off  when  people  move 
this  data  into  an  environment  that  is 
not  quite  as  locked  down,”  says  Beilis, 
the  former  CISO  of  Orbitz. 

“I  have  witnessed  issues  where  pro¬ 
duction  data  was  migrated  to  a  less- 
controlled  environment  and,  despite 
nothing  but  good  intentions,  managed 
to  end  up  on  completely  open  environ¬ 
ments  such  as  consultant  laptops  and 
portable  devices,”  he  says. 


■  David  Geer  is  a  freelance  contributor. 
Send  feedback  to  Editor  in  Chief 
Derek  Slater  at  dslater@cxo.com. 


February  2013  www.csoonline.com  31 


www.C80onltne.com 


FEBRUARY  2013 


32 


CSI:  Log  Files 

“A  security  audit  of  a  U.S.  critical  infrastructure  company  last  year  revealed  that  its  star 
developer  had  outsourced  his  own  job  to  a  Chinese  subcontractor  and  was  spending  all 
his  work  time  playing  around  on  the  Internet....  [He]  had  FedExed  [the  subcontractor] 
his  two-factor  authentication  token  so  they  could  log  into  his  account.  He  was  paying 
them  a  fifth  of  his  six-figure  salary  to  do  the  work  and 
spent  the  rest  of  his  time  on  other  activities.” 

—From  “Security  Audit  Finds  Dev  Outsourced  His  Job  to 
China  to  Goof  Off  at  Work,”  The  Register,  Jan.  16, 2013 


■  A  high  volume  of  Skype  connections 
to  an  888  toll  service  reveals 
that  Todd,  the  miid-mannered 
assistant  in  the  comptroller’s  office, 
answers  calls  for  the  Psychic 
Love  Hotline  at  lunchtime. 


Other  possible  findings: 


■  Colleen,  the  CIO,  actually 
spends  most  office  days  auto¬ 
tuning  corporate  earnings 
teleconferences  into  trance/ 
acid-house  remixes  for  her  side 
job  as  a  wedding  reception  DJ. 


■  Using  a  byzantine  set  of  Tor  router 
hops,  someone  in  engineering  is 
exporting  detailed  CAD  renderings 
of  elaborate  cosplay  outfits.  » 


Yves  Tennevin/Flickr 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 

To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


For  more  information  please  visit 

wvwv.SecuritySmart.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  201 2  CX0  Media  Inc. 


avigilon.com 


See  more  detail  with  Avigilon’s  high-definition 
surveillance  solutions. 


Protect  your  assets  with  the  unparalleled  image  clarity  of  Avigilon’s 
end-to-end  surveillance  systems.  Our  broad  range  of  megapixel 
cameras  and  easy-to-use  software  can  help  you  identify  more  details 
than  a  standard  analog  system  and  deliver  the  best  evidence.  Learn 
more  about  how  Avigilon’s  high-definition  solutions  can  benefit  your 
organization  at  avigilon.com/markets  or  schedule  a  meeting  with  one 
of  our  product  experts  at  +1.888.281.5182. 


aviGiLon 

THE  BEST  EVIDENCE’ 


